├── .cfnlintrc ├── .gitmodules ├── .taskcat.yml ├── CODEOWNERS ├── LICENSE ├── LICENSE.txt ├── NOTICE.txt ├── README.md ├── ci ├── aurora_postgres-master-v10-6.json └── taskcat.yml └── templates ├── aurora_postgres-main.template.yaml └── aurora_postgres.template.yaml /.cfnlintrc: -------------------------------------------------------------------------------- 1 | templates: 2 | - templates/* 3 | 4 | # Used by cfn-lint GitHub Action 5 | ignore_checks: 6 | # W4002: As the resource "metadata" section contains reference to a "NoEcho" parameter DBMasterUserPassword, CloudFormation will display the parameter value in plaintext 7 | - W4002 8 | # E3012: Property Resources/EFSCname/Properties/TTL should be of type Long 9 | - E3012 10 | # E1001: Top level template section tests is not valid 11 | - E1001 12 | # W3011: Both UpdateReplacePolicy and DeletionPolicy are needed to protect Resources/EncryptionKey from deletion 13 | - W3011 14 | # E3029: You cannot specify CopyTagsToSnapshot for Aurora AWS::RDS::DBInstance at Resources/AuroraDB3/Properties/CopyTagsToSnapshot 15 | - E3029 -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "submodules/quickstart-aws-vpc"] 2 | path = submodules/quickstart-aws-vpc 3 | url = https://github.com/aws-quickstart/quickstart-aws-vpc.git 4 | branch = main 5 | [submodule "submodules/quickstart-linux-bastion"] 6 | path = submodules/quickstart-linux-bastion 7 | url = https://github.com/aws-quickstart/quickstart-linux-bastion.git 8 | branch = main 9 | -------------------------------------------------------------------------------- /.taskcat.yml: -------------------------------------------------------------------------------- 1 | project: 2 | name: quickstart-amazon-aurora-postgresql 3 | shorten_stack_name: true 4 | owner: quickstart-eng@amazon.com 5 | package_lambda: false 6 | regions: 7 | - us-west-2 8 | - ap-south-1 9 | - eu-west-1 10 | - eu-north-1 11 | - us-east-1 12 | - ca-central-1 13 | - ap-northeast-1 14 | - ap-southeast-1 15 | - us-east-2 16 | - eu-west-2 17 | - eu-central-1 18 | - us-west-1 19 | - eu-west-3 20 | parameters: 21 | AvailabilityZones: $[taskcat_genaz_2] 22 | DBMasterUserPassword: "Ae6ii5fcckj4ddi0t!" 23 | DBMasterUsername: "pgadmin" 24 | EnableEventSubscription: "false" 25 | EnableBastion: "false" 26 | KeyPairName: $[taskcat_getkeypair] 27 | QSS3BucketName: $[taskcat_autobucket] 28 | QSS3BucketRegion: $[taskcat_current_region] 29 | RemoteAccessCIDR: 10.0.0.0/16 30 | tests: 31 | aurora-postgresql-14: 32 | parameters: 33 | DBEngineVersion: "14.5" 34 | template: ./templates/aurora_postgres-main.template.yaml 35 | regions: 36 | - us-west-2 37 | aurora-postgresql-13: 38 | parameters: 39 | DBEngineVersion: "13.8" 40 | template: ./templates/aurora_postgres-main.template.yaml 41 | regions: 42 | - ca-central-1 43 | aurora-postgresql-12: 44 | parameters: 45 | DBEngineVersion: "12.12" 46 | template: ./templates/aurora_postgres-main.template.yaml 47 | regions: 48 | - eu-west-2 49 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @tonynv @aws-quickstart/aws_quickstart_team 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at 4 | 5 | http://aws.amazon.com/apache2.0/ 6 | 7 | or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # quickstart-amazon-aurora-postgresql 2 | ## Deprecation Notice 3 | 4 | :x: This repository is subject to deprecation in Q4 2024. For more details, [please review this announcement](https://github.com/aws-ia/.announcements/issues/1). 5 | 6 | 7 | ## This repository has been deprecated in favor of https://github.com/aws-ia/cfn-ps-amazon-aurora-postgresql. 8 | ***We will archive this repository and keep it publicly available until May 1, 2024.*** 9 | -------------------------------------------------------------------------------- /ci/aurora_postgres-master-v10-6.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "AvailabilityZones", 4 | "ParameterValue": "$[taskcat_genaz_2]" 5 | }, 6 | { 7 | "ParameterKey": "KeyPairName", 8 | "ParameterValue": "tonynv" 9 | }, 10 | { 11 | "ParameterKey": "QSS3BucketName", 12 | "ParameterValue": "$[taskcat_autobucket]" 13 | }, 14 | { 15 | "ParameterKey": "RemoteAccessCIDR", 16 | "ParameterValue": "10.0.0.0/16" 17 | }, 18 | { 19 | "ParameterKey": "DBMultiAZ", 20 | "ParameterValue": "false" 21 | }, 22 | { "ParameterKey": "EnableEventSubscription", 23 | "ParameterValue": "false" 24 | }, 25 | { 26 | "ParameterKey": "EnableBastion", 27 | "ParameterValue": "false" 28 | }, 29 | { 30 | "ParameterKey": "DBEngineVersion", 31 | "ParameterValue": "10.6" 32 | }, 33 | { 34 | "ParameterKey": "DBMasterUserPassword", 35 | "ParameterValue": "$[taskcat_genpass_8S]" 36 | }, 37 | { 38 | "ParameterKey": "QSS3BucketRegion", 39 | "ParameterValue": "$[taskcat_current_region]" 40 | } 41 | ] 42 | -------------------------------------------------------------------------------- /ci/taskcat.yml: -------------------------------------------------------------------------------- 1 | global: 2 | owner: tony@vattathil.com 3 | qsname: quickstart-amazon-aurora-postgresql 4 | regions: 5 | - us-west-2 6 | - ap-south-1 7 | - eu-west-1 8 | - eu-north-1 9 | - us-east-1 10 | - ca-central-1 11 | - ap-northeast-1 12 | - ap-southeast-2 13 | - ap-southeast-1 14 | - ap-northeast-2 15 | - us-east-2 16 | - eu-west-2 17 | - eu-central-1 18 | - us-west-1 19 | # - sa-east-1 20 | - eu-west-3 21 | reporting: true 22 | tests: 23 | postgres-v10-6: 24 | parameter_input: aurora_postgres-master-v10-6.json 25 | template_file: aurora_postgres-master.template.yaml 26 | -------------------------------------------------------------------------------- /templates/aurora_postgres-main.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: "AWS VPC + Linux bastion host + Aurora PostgreSQL, Do Not Remove Apache License Version 2.0 (qs-1pj6s43hc) July,23,2019" 3 | Metadata: 4 | LICENSE: Apache License Version 2.0 5 | cfn-lint: 6 | config: 7 | ignore_checks: 8 | - W9006 9 | - E9101 10 | 11 | ############################################################################### 12 | # Parameter groups 13 | ############################################################################### 14 | AWS::CloudFormation::Interface: 15 | ParameterGroups: 16 | - Label: 17 | default: Network configuration 18 | Parameters: 19 | - AvailabilityZones 20 | - VPCCIDR 21 | - PrivateSubnet1CIDR 22 | - PrivateSubnet2CIDR 23 | - PublicSubnet1CIDR 24 | - PublicSubnet2CIDR 25 | - Label: 26 | default: Linux Bastion Host configuration 27 | Parameters: 28 | - EnableBastion 29 | - KeyPairName 30 | - RemoteAccessCIDR 31 | - EnableTCPForwarding 32 | - Label: 33 | default: Database General configuration 34 | Parameters: 35 | - DBEngineVersion 36 | - DBInstanceClass 37 | - ServerlessMinCapacity 38 | - ServerlessMaxCapacity 39 | - DBPort 40 | - DBName 41 | - DBMasterUsername 42 | - ManageMasterUserPassword 43 | - DBMasterUserPassword 44 | - DBMultiAZ 45 | - DBAutoMinorVersionUpgrade 46 | - DBBackupRetentionPeriod 47 | - EnableIAMDBAuth 48 | - Label: 49 | default: Database Storage configuration 50 | Parameters: 51 | - DBStorageEncrypted 52 | - StorageType 53 | - Label: 54 | default: Database Monitoring configuration 55 | Parameters: 56 | - DBExportLogToCloudwatch 57 | - EnablePerformanceInsights 58 | - PerformanceInsightsRetentionPeriod 59 | - EnableEnhancedMonitoring 60 | - MonitoringInterval 61 | - EnableEventSubscription 62 | - NotificationList 63 | - Label: 64 | default: "[Optional] Database tags" 65 | Parameters: 66 | - EnvironmentStage 67 | - Application 68 | - ApplicationVersion 69 | - ProjectCostCenter 70 | - Confidentiality 71 | - Compliance 72 | - Label: 73 | default: Quick Start configuration 74 | Parameters: 75 | - QSS3BucketName 76 | - QSS3BucketRegion 77 | - QSS3KeyPrefix 78 | 79 | ############################################################################### 80 | # Parameter labels 81 | ############################################################################### 82 | ParameterLabels: 83 | 84 | #VPC stack related parameter labels 85 | AvailabilityZones: 86 | default: Availability Zones 87 | PrivateSubnet1CIDR: 88 | default: Private subnet 1 CIDR 89 | PrivateSubnet2CIDR: 90 | default: Private subnet 2 CIDR 91 | PublicSubnet1CIDR: 92 | default: Public subnet 1 CIDR 93 | PublicSubnet2CIDR: 94 | default: Public subnet 2 CIDR 95 | VPCCIDR: 96 | default: VPC CIDR 97 | 98 | #Bastion host related parameter labels 99 | EnableBastion: 100 | default: Create bastion stack 101 | EnableTCPForwarding: 102 | default: Enable TCP Forwarding 103 | KeyPairName: 104 | default: Key Name 105 | RemoteAccessCIDR: 106 | default: Permitted IP range 107 | 108 | #Quickstart related parameter labels 109 | QSS3BucketName: 110 | default: Quick Start S3 bucket name 111 | QSS3BucketRegion: 112 | default: Quick Start S3 bucket region 113 | QSS3KeyPrefix: 114 | default: Quick Start S3 key prefix 115 | 116 | #Aurora related parameter labels 117 | Application: 118 | default: Application name 119 | ApplicationVersion: 120 | default: Application version 121 | Compliance: 122 | default: Compliance classifier 123 | Confidentiality: 124 | default: Confidentiality classifier 125 | DBAutoMinorVersionUpgrade: 126 | default: Database auto minor version upgrade 127 | DBBackupRetentionPeriod: 128 | default: Database backup retention period 129 | DBEngineVersion: 130 | default: Database Engine Version 131 | DBExportLogToCloudwatch: 132 | default: Export Database Logs to CloudWatch 133 | DBInstanceClass: 134 | default: Database instance class 135 | DBMasterUsername: 136 | default: Database master username 137 | DBMasterUserPassword: 138 | default: Database master password 139 | DBMultiAZ: 140 | default: Multi-AZ deployment 141 | DBName: 142 | default: Database name 143 | DBPort: 144 | default: Database port 145 | DBStorageEncrypted: 146 | default: Database encryption enabled 147 | EnableEnhancedMonitoring: 148 | default: Enable Enhanced Monitoring 149 | EnableEventSubscription: 150 | default: Enable Event Subscription 151 | EnableIAMDBAuth: 152 | default: Enable IAM Database Authentication 153 | EnablePerformanceInsights: 154 | default: Enable RDS Performance Insights 155 | EnvironmentStage: 156 | default: Environment stage 157 | ManageMasterUserPassword: 158 | default: Manage DB master user password with AWS Secrets Manager 159 | MonitoringInterval: 160 | default: Enhanced monitoring interval 161 | NotificationList: 162 | default: SNS notification email 163 | PerformanceInsightsRetentionPeriod: 164 | default: Number of days to retain Performance Insights data 165 | ProjectCostCenter: 166 | default: Project cost center 167 | ServerlessMinCapacity: 168 | default: Minimum Aurora Serverless v2 capacity units (ACUs) 169 | ServerlessMaxCapacity: 170 | default: Maximum Aurora Serverless v2 capacity units (ACUs) 171 | StorageType: 172 | default: Aurora Storage Type 173 | 174 | ############################################################################### 175 | # Parameters 176 | ############################################################################### 177 | Parameters: 178 | 179 | #VPC stack related parameters 180 | AvailabilityZones: 181 | Description: >- 182 | List of Availability Zones to use for the subnets in the VPC. Only two 183 | Availability Zones are used for this deployment, and the logical order of 184 | your selections is preserved. 185 | Type: 'List' 186 | PrivateSubnet1CIDR: 187 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 188 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 189 | Default: 10.0.0.0/19 190 | Description: CIDR block for private subnet 1 located in Availability Zone 1. 191 | Type: String 192 | PrivateSubnet2CIDR: 193 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 194 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 195 | Default: 10.0.32.0/19 196 | Description: CIDR block for private subnet 2 located in Availability Zone 2. 197 | Type: String 198 | PublicSubnet1CIDR: 199 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 200 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 201 | Default: 10.0.128.0/20 202 | Description: CIDR block for the public subnet 1 located in Availability Zone 1. 203 | Type: String 204 | PublicSubnet2CIDR: 205 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 206 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 207 | Default: 10.0.144.0/20 208 | Description: CIDR block for the public subnet 2 located in Availability Zone 2. 209 | Type: String 210 | VPCCIDR: 211 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 212 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 213 | Default: 10.0.0.0/16 214 | Description: CIDR block for the VPC. 215 | Type: String 216 | 217 | #Bastion host related parameters 218 | EnableBastion: 219 | AllowedValues: 220 | - "true" 221 | - "false" 222 | Default: "true" 223 | Description: "If 'true', a bastion stack will be created." 224 | Type: String 225 | EnableTCPForwarding: 226 | Type: String 227 | Description: "Enable/Disable TCP Forwarding for the bastion host." 228 | Default: 'false' 229 | AllowedValues: 230 | - 'true' 231 | - 'false' 232 | KeyPairName: 233 | ConstraintDescription: "Name of an existing EC2 key pair." 234 | Description: "Name of an existing public/private key pair, for connecting to the bastion host." 235 | Type: AWS::EC2::KeyPair::KeyName 236 | RemoteAccessCIDR: 237 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" 238 | ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/x" 239 | Description: "Allowed CIDR block for external SSH access to the bastion host." 240 | Default: 10.0.0.0/16 241 | Type: String 242 | 243 | #Quickstart related parameters 244 | QSS3BucketName: 245 | AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" 246 | ConstraintDescription: "Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-)." 247 | Default: aws-quickstart 248 | Description: "S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-)." 249 | Type: String 250 | QSS3BucketRegion: 251 | Default: us-east-1 252 | Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.' 253 | Type: String 254 | QSS3KeyPrefix: 255 | AllowedPattern: "^[0-9a-zA-Z-/]*$" 256 | ConstraintDescription: "Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/)." 257 | Default: quickstart-amazon-aurora-postgresql/ 258 | Description: "S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/)." 259 | Type: String 260 | 261 | #Aurora related parameters 262 | DBStorageEncrypted: 263 | Default: "true" 264 | AllowedValues: 265 | - "true" 266 | - "false" 267 | Description: "To disable database encryption, choose 'false'." 268 | Type: String 269 | DBAutoMinorVersionUpgrade: 270 | AllowedValues: 271 | - "true" 272 | - "false" 273 | Default: "false" 274 | Description: "Select 'true' to set up auto minor version upgrade." 275 | Type: String 276 | DBBackupRetentionPeriod: 277 | Default: 35 278 | Description: "The number of days for which automatic database snapshots are retained." 279 | Type: Number 280 | MinValue: 0 281 | MaxValue: 35 282 | DBEngineVersion: 283 | Description: >- 284 | Select Database Engine Version. 285 | Aurora Serverless v2 with Aurora PostgreSQL is available in v13.6 & higher, v14.3 & higher, and v15.2 & higher. 286 | Aurora I/O-Optimized configuration is available in Aurora PostgreSQL v13.10 and higher, v14.7 and higher, and v15.2 and higher. 287 | For supported engines and Region availability for Aurora Serverless v2 with Aurora PostgreSQL, refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.Aurora_Fea_Regions_DB-eng.Feature.ServerlessV2.html 288 | Type: String 289 | Default: 15.3 290 | AllowedValues: 291 | - 11.13 292 | - 11.14 293 | - 11.15 294 | - 11.16 295 | - 11.17 296 | - 11.18 297 | - 11.19 298 | - 11.20 299 | - 12.8 300 | - 12.9 301 | - 12.10 302 | - 12.11 303 | - 12.12 304 | - 12.13 305 | - 12.14 306 | - 12.15 307 | - 13.4 308 | - 13.5 309 | - 13.6 310 | - 13.7 311 | - 13.8 312 | - 13.9 313 | - 13.10 314 | - 13.11 315 | - 14.3 316 | - 14.4 317 | - 14.5 318 | - 14.6 319 | - 14.7 320 | - 14.8 321 | - 15.2 322 | - 15.3 323 | DBExportLogToCloudwatch: 324 | Default: "true" 325 | AllowedValues: 326 | - "true" 327 | - "false" 328 | Description: Whether or not to export Database logs to CloudWatch 329 | Type: String 330 | DBInstanceClass: 331 | Description: >- 332 | The database instance type. 333 | Please see supported instance types for the Aurora PostgreSQL version selected https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.DBInstanceClass.html#Concepts.DBInstanceClass.SupportAurora 334 | Type: String 335 | Default: db.r6g.2xlarge 336 | AllowedValues: 337 | - db.r5.12xlarge 338 | - db.r5.16xlarge 339 | - db.r5.24xlarge 340 | - db.r5.2xlarge 341 | - db.r5.4xlarge 342 | - db.r5.8xlarge 343 | - db.r5.large 344 | - db.r5.xlarge 345 | - db.r6g.12xlarge 346 | - db.r6g.16xlarge 347 | - db.r6g.2xlarge 348 | - db.r6g.4xlarge 349 | - db.r6g.8xlarge 350 | - db.r6g.large 351 | - db.r6g.xlarge 352 | - db.r6i.12xlarge 353 | - db.r6i.16xlarge 354 | - db.r6i.24xlarge 355 | - db.r6i.2xlarge 356 | - db.r6i.32xlarge 357 | - db.r6i.4xlarge 358 | - db.r6i.8xlarge 359 | - db.r6i.large 360 | - db.r6i.xlarge 361 | - db.r7g.12xlarge 362 | - db.r7g.16xlarge 363 | - db.r7g.2xlarge 364 | - db.r7g.4xlarge 365 | - db.r7g.8xlarge 366 | - db.r7g.large 367 | - db.r7g.xlarge 368 | - db.serverless 369 | - db.t3.large 370 | - db.t3.medium 371 | - db.t4g.large 372 | - db.t4g.medium 373 | - db.x2g.12xlarge 374 | - db.x2g.16xlarge 375 | - db.x2g.2xlarge 376 | - db.x2g.4xlarge 377 | - db.x2g.8xlarge 378 | - db.x2g.large 379 | - db.x2g.xlarge 380 | DBMasterUsername: 381 | AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" 382 | ConstraintDescription: "Must begin with a letter and contain only alphanumeric characters." 383 | Description: (Required) The database master username. Must begin with a letter and contain only alphanumeric characters. 384 | MaxLength: "16" 385 | MinLength: "1" 386 | Type: String 387 | DBMasterUserPassword: 388 | AllowedPattern: ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ 389 | ConstraintDescription: Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol 390 | Description: (Required) The database master user password. Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol. Ignored if 'Manage DB master user password with AWS Secrets Manager' option is set to 'true'. 391 | MaxLength: "99" 392 | MinLength: "8" 393 | NoEcho: "True" 394 | Type: String 395 | DBMultiAZ: 396 | AllowedValues: 397 | - "true" 398 | - "false" 399 | Default: "true" 400 | Description: "Specifies if the database instance is a multiple Availability Zone deployment." 401 | Type: String 402 | DBName: 403 | AllowedPattern: "[a-zA-Z0-9]*" 404 | Description: "Name of the initial PostgreSQL database to create." 405 | MaxLength: "63" 406 | MinLength: "0" 407 | Default: 'sampleapp' 408 | Type: String 409 | DBPort: 410 | Default: 5432 411 | Description: "The port the instance will listen for connections on." 412 | Type: Number 413 | ConstraintDescription: "Must be in the range [1150-65535]." 414 | MinValue: 1150 415 | MaxValue: 65535 416 | EnableEnhancedMonitoring: 417 | AllowedValues: 418 | - "true" 419 | - "false" 420 | Default: "true" 421 | Description: "Set to 'true' to enable Enahanced Monitoring." 422 | Type: String 423 | EnableEventSubscription: 424 | AllowedValues: 425 | - "true" 426 | - "false" 427 | Default: "true" 428 | Description: "Enables event subscription to Notification List." 429 | Type: String 430 | EnableIAMDBAuth: 431 | AllowedValues: 432 | - "true" 433 | - "false" 434 | Default: "true" 435 | Description: "Enables IAM Database Authentication." 436 | Type: String 437 | EnablePerformanceInsights: 438 | AllowedValues: 439 | - "true" 440 | - "false" 441 | Default: "true" 442 | Description: "Enables RDS Performance Insights." 443 | Type: String 444 | ManageMasterUserPassword: 445 | AllowedValues: 446 | - "true" 447 | - "false" 448 | Default: "true" 449 | Description: "Set to 'true' to manage the master user password with AWS Secrets Manager." 450 | Type: String 451 | MonitoringInterval: 452 | Default: 10 453 | Description: "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the database." 454 | Type: Number 455 | AllowedValues: 456 | - 1 457 | - 5 458 | - 10 459 | - 15 460 | - 30 461 | - 60 462 | ConstraintDescription: Valid values are 0, 1, 5, 10, 15, 30, 60 seconds. 463 | NotificationList: 464 | Type: String 465 | Default: 'db-ops@domain.com' 466 | Description: The email notification used to configure an SNS topic for sending CloudWatch alarm and RDS event notifications. 467 | AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' 468 | ConstraintDescription: Provide a valid email address. 469 | PerformanceInsightsRetentionPeriod: 470 | Default: 7 471 | Description: "The number of days for which automatic database snapshots are retained. Specify days based on (month * 31), where month is a number of months from 1-23." 472 | Type: Number 473 | MinValue: 7 474 | MaxValue: 713 475 | ServerlessMinCapacity: 476 | Default: 8 477 | Description: >- 478 | Required if "db.serverless" is chosen as the database instance class. 479 | Specify minimum Aurora Serverless v2 Capacity Units (ACUs) in the range of 0.5 to 128 in increments of 0.5. 480 | 1 ACU provides 2 GiB of memory and corresponding compute and networking. 481 | Type: String 482 | AllowedPattern: ([0-9]?(\.(0|5))?|[1-8][0-9](\.(0|5))?|9[0-9]|1[01][0-9](\.(0|5))?|12[0-7](\.(0|5))?|128) 483 | ConstraintDescription: "Only values from 0.5 to 128, in increments of 0.5" 484 | ServerlessMaxCapacity: 485 | Default: 64 486 | Description: >- 487 | Required if "db.serverless" is chosen as the database instance class. 488 | Specify maximum Aurora Serverless v2 Capacity Units (ACUs) in the range of 1 to 128 in increments of 0.5. 489 | 1 ACU provides 2 GiB of memory and corresponding compute and networking. 490 | Type: String 491 | AllowedPattern: ([1-9]?(\.(0|5))?|[1-8][0-9](\.(0|5))?|9[0-9]|1[01][0-9](\.(0|5))?|12[0-7](\.(0|5))?|128) 492 | ConstraintDescription: "Only values from 1 to 128, in increments of 0.5" 493 | StorageType: 494 | Type: String 495 | Description: >- 496 | Designates the storage type to associate with the Aurora DB cluster. Choose aurora-iopt1 for Aurora I/O Optimized storage. 497 | For details refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type 498 | AllowedValues: 499 | - aurora 500 | - aurora-iopt1 501 | Default: aurora 502 | 503 | #Optional parameters 504 | Application: 505 | Type: String 506 | Default: "" 507 | Description: "[Optional] Name of the application for the associated AWS resource." 508 | ApplicationVersion: 509 | Type: String 510 | Description: "[Optional] Version of the application." 511 | Default: "" 512 | Compliance: 513 | Type: String 514 | Default: "" 515 | Description: "[Optional] Compliance level for the AWS resource." 516 | AllowedValues: 517 | - hipaa 518 | - sox 519 | - fips 520 | - other 521 | - "" 522 | Confidentiality: 523 | Type: String 524 | Default: "" 525 | Description: "[Optional] Confidentiality classification of the data that is associated with the AWS resource." 526 | AllowedValues: 527 | - public 528 | - private 529 | - confidential 530 | - pii/phi 531 | - none 532 | - "" 533 | EnvironmentStage: 534 | Type: String 535 | Description: "[Optional] Environment stage of the associated AWS resource." 536 | AllowedValues: 537 | - dev 538 | - test 539 | - pre-prod 540 | - prod 541 | - none 542 | Default: none 543 | ProjectCostCenter: 544 | Type: String 545 | Default: "" 546 | Description: "[Optional] Designates the cost center associated with the project of the given AWS resource." 547 | 548 | ############################################################################### 549 | # Conditions 550 | ############################################################################### 551 | Conditions: 552 | EnableBastionAccess: !Equals 553 | - !Ref EnableBastion 554 | - "true" 555 | UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] 556 | 557 | ############################################################################### 558 | # Resources 559 | ############################################################################### 560 | Resources: 561 | 562 | VPCStack: 563 | Type: 'AWS::CloudFormation::Stack' 564 | Properties: 565 | TemplateURL: 566 | Fn::Sub: 567 | - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' 568 | - S3Region: !If 569 | - UsingDefaultBucket 570 | - !Ref AWS::Region 571 | - !Ref QSS3BucketRegion 572 | S3Bucket: !If 573 | - UsingDefaultBucket 574 | - !Sub '${QSS3BucketName}-${AWS::Region}' 575 | - !Ref QSS3BucketName 576 | Parameters: 577 | AvailabilityZones: !Join 578 | - ',' 579 | - !Ref AvailabilityZones 580 | NumberOfAZs: '2' 581 | PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR 582 | PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR 583 | PublicSubnet1CIDR: !Ref PublicSubnet1CIDR 584 | PublicSubnet2CIDR: !Ref PublicSubnet2CIDR 585 | VPCCIDR: !Ref VPCCIDR 586 | 587 | BastionStack: 588 | Condition: EnableBastionAccess 589 | Type: 'AWS::CloudFormation::Stack' 590 | Properties: 591 | TemplateURL: 592 | !Sub 593 | - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion-entrypoint-existing-vpc.template.yaml' 594 | - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] 595 | S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] 596 | Parameters: 597 | KeyPairName: !Ref KeyPairName 598 | PublicSubnet1ID: !GetAtt 599 | - VPCStack 600 | - Outputs.PublicSubnet1ID 601 | PublicSubnet2ID: !GetAtt 602 | - VPCStack 603 | - Outputs.PublicSubnet2ID 604 | EnableTCPForwarding: !Ref EnableTCPForwarding 605 | RemoteAccessCIDR: !Ref RemoteAccessCIDR 606 | VPCID: !GetAtt 607 | - VPCStack 608 | - Outputs.VPCID 609 | QSS3BucketName: !Ref QSS3BucketName 610 | QSS3BucketRegion: !Ref QSS3BucketRegion 611 | QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-linux-bastion/ 612 | 613 | APGNS: 614 | Type: AWS::CloudFormation::Stack 615 | Properties: 616 | TemplateURL: 617 | !Sub 618 | - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/aurora_postgres.template.yaml' 619 | - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] 620 | S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] 621 | Parameters: 622 | #Database Network configuration 623 | VPCID: 624 | Fn::GetAtt: 625 | - VPCStack 626 | - Outputs.VPCID 627 | Subnet1ID: 628 | Fn::GetAtt: 629 | - VPCStack 630 | - Outputs.PrivateSubnet1AID 631 | Subnet2ID: 632 | Fn::GetAtt: 633 | - VPCStack 634 | - Outputs.PrivateSubnet2AID 635 | DBAccessCIDR: !Ref VPCCIDR 636 | #Database General configuration 637 | DBEngineVersion: !Ref DBEngineVersion 638 | DBInstanceClass: !Ref DBInstanceClass 639 | ServerlessMinCapacity: !Ref ServerlessMinCapacity 640 | ServerlessMaxCapacity: !Ref ServerlessMaxCapacity 641 | DBPort: !Ref DBPort 642 | DBName: !Ref DBName 643 | DBMasterUsername: !Ref DBMasterUsername 644 | ManageMasterUserPassword: !Ref ManageMasterUserPassword 645 | DBMasterUserPassword: !Ref DBMasterUserPassword 646 | DBMultiAZ: !Ref DBMultiAZ 647 | DBAutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade 648 | DBBackupRetentionPeriod: !Ref DBBackupRetentionPeriod 649 | EnableIAMDBAuth: !Ref EnableIAMDBAuth 650 | #Database Storage configuration 651 | DBStorageEncrypted: !Ref DBStorageEncrypted 652 | StorageType: !Ref StorageType 653 | #Database Monitoring configuration 654 | DBExportLogToCloudwatch: !Ref DBExportLogToCloudwatch 655 | EnablePerformanceInsights: !Ref EnablePerformanceInsights 656 | PerformanceInsightsRetentionPeriod: !Ref PerformanceInsightsRetentionPeriod 657 | EnableEnhancedMonitoring: !Ref EnableEnhancedMonitoring 658 | MonitoringInterval: !Ref MonitoringInterval 659 | EnableEventSubscription: !Ref EnableEventSubscription 660 | NotificationList: !Ref NotificationList 661 | #Database tags (optional) 662 | EnvironmentStage: !Ref EnvironmentStage 663 | Application: !Ref Application 664 | ApplicationVersion: !Ref ApplicationVersion 665 | ProjectCostCenter: !Ref ProjectCostCenter 666 | Confidentiality: !Ref Confidentiality 667 | Compliance: !Ref Compliance 668 | -------------------------------------------------------------------------------- /templates/aurora_postgres.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: '2010-09-09' 2 | Description: "Amazon Aurora PostgreSQL, Do Not Remove Apache License Version 2.0 (qs-1pj6s43e3) July,23,2019" 3 | Metadata: 4 | LICENSE: Apache License Version 2.0 5 | cfn-lint: 6 | config: 7 | ignore_checks: 8 | - E9101 9 | - W3011 10 | - W2030 11 | - E3002 12 | - E1019 13 | 14 | ############################################################################### 15 | # Parameter groups 16 | ############################################################################### 17 | AWS::CloudFormation::Interface: 18 | ParameterGroups: 19 | - Label: 20 | default: Database Network configuration 21 | Parameters: 22 | - VPCID 23 | - Subnet1ID 24 | - Subnet2ID 25 | - CustomDBSecurityGroup 26 | - DBAccessCIDR 27 | - PubliclyAccessible 28 | - Label: 29 | default: Database General configuration 30 | Parameters: 31 | - DBEngineVersion 32 | - DBInstanceClass 33 | - ServerlessMinCapacity 34 | - ServerlessMaxCapacity 35 | - DBPort 36 | - DBName 37 | - DBMasterUsername 38 | - ManageMasterUserPassword 39 | - DBMasterUserPassword 40 | - DBMultiAZ 41 | - DBAutoMinorVersionUpgrade 42 | - DBBackupRetentionPeriod 43 | - EnableIAMDBAuth 44 | - Label: 45 | default: Database Storage configuration 46 | Parameters: 47 | - DBStorageEncrypted 48 | - StorageType 49 | - Label: 50 | default: Database Monitoring configuration 51 | Parameters: 52 | - DBExportLogToCloudwatch 53 | - EnablePerformanceInsights 54 | - PerformanceInsightsRetentionPeriod 55 | - EnableEnhancedMonitoring 56 | - MonitoringInterval 57 | - EnableEventSubscription 58 | - NotificationList 59 | - Label: 60 | default: "[Optional] Database tags" 61 | Parameters: 62 | - EnvironmentStage 63 | - Application 64 | - ApplicationVersion 65 | - ProjectCostCenter 66 | - Confidentiality 67 | - Compliance 68 | 69 | ############################################################################### 70 | # Parameter labels 71 | ############################################################################### 72 | ParameterLabels: 73 | Application: 74 | default: Application name 75 | ApplicationVersion: 76 | default: Application version 77 | Compliance: 78 | default: Compliance classifier 79 | Confidentiality: 80 | default: Confidentiality classifier 81 | CustomDBSecurityGroup: 82 | default: Custom security group ID 83 | DBAccessCIDR: 84 | default: Database connection CIDR 85 | DBAutoMinorVersionUpgrade: 86 | default: Database auto minor version upgrade 87 | DBBackupRetentionPeriod: 88 | default: Database backup retention period 89 | DBEngineVersion: 90 | default: Database Engine Version 91 | DBExportLogToCloudwatch: 92 | default: Export Database Logs to CloudWatch 93 | DBInstanceClass: 94 | default: Database instance class 95 | DBMasterUsername: 96 | default: Database master username 97 | DBMasterUserPassword: 98 | default: Database master password 99 | DBMultiAZ: 100 | default: Multi-AZ deployment 101 | DBName: 102 | default: Database name 103 | DBPort: 104 | default: Database port 105 | DBStorageEncrypted: 106 | default: Database encryption enabled 107 | EnableEnhancedMonitoring: 108 | default: Enable Enhanced Monitoring 109 | EnableEventSubscription: 110 | default: Enable Event Subscription 111 | EnableIAMDBAuth: 112 | default: Enable IAM Database Authentication 113 | EnablePerformanceInsights: 114 | default: Enable RDS Performance Insights 115 | EnvironmentStage: 116 | default: Environment stage 117 | ManageMasterUserPassword: 118 | default: Manage DB master user password with AWS Secrets Manager 119 | MonitoringInterval: 120 | default: Enhanced monitoring interval 121 | NotificationList: 122 | default: SNS notification email 123 | PerformanceInsightsRetentionPeriod: 124 | default: Number of days to retain Performance Insights data 125 | ProjectCostCenter: 126 | default: Project cost center 127 | PubliclyAccessible: 128 | default: Publicly Accessible 129 | ServerlessMinCapacity: 130 | default: Minimum Aurora Serverless v2 capacity units (ACUs) 131 | ServerlessMaxCapacity: 132 | default: Maximum Aurora Serverless v2 capacity units (ACUs) 133 | Subnet1ID: 134 | default: Private subnet 1 ID 135 | Subnet2ID: 136 | default: Private subnet 2 ID 137 | StorageType: 138 | default: Aurora Storage Type 139 | VPCID: 140 | default: VPC ID 141 | 142 | ############################################################################### 143 | # Parameters 144 | ############################################################################### 145 | Parameters: 146 | CustomDBSecurityGroup: 147 | Description: "ID of the security group (e.g., sg-0234se). One will be created for you if left empty." 148 | Type: String 149 | Default: '' 150 | DBAccessCIDR: 151 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" 152 | ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/x" 153 | Description: "Allowed CIDR block for external access (use VPC CIDR)." 154 | Type: String 155 | Default: 10.0.0.0/16 156 | DBAutoMinorVersionUpgrade: 157 | AllowedValues: 158 | - "true" 159 | - "false" 160 | Default: "false" 161 | Description: "Select 'true' to set up auto minor version upgrade." 162 | Type: String 163 | DBBackupRetentionPeriod: 164 | Default: 35 165 | Description: "The number of days for which automatic database snapshots are retained." 166 | Type: Number 167 | MinValue: 0 168 | MaxValue: 35 169 | DBEngineVersion: 170 | Description: >- 171 | Select Database Engine Version. 172 | Aurora Serverless v2 with Aurora PostgreSQL is available in v13.6 & higher, v14.3 & higher, and v15.2 & higher. 173 | Aurora I/O-Optimized configuration is available in Aurora PostgreSQL v13.10 and higher, v14.7 and higher, and v15.2 and higher. 174 | For supported engines and Region availability for Aurora Serverless v2 with Aurora PostgreSQL, refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.Aurora_Fea_Regions_DB-eng.Feature.ServerlessV2.html 175 | Type: String 176 | Default: 15.3 177 | AllowedValues: 178 | - 11.13 179 | - 11.14 180 | - 11.15 181 | - 11.16 182 | - 11.17 183 | - 11.18 184 | - 11.19 185 | - 11.20 186 | - 12.8 187 | - 12.9 188 | - 12.10 189 | - 12.11 190 | - 12.12 191 | - 12.13 192 | - 12.14 193 | - 12.15 194 | - 13.4 195 | - 13.5 196 | - 13.6 197 | - 13.7 198 | - 13.8 199 | - 13.9 200 | - 13.10 201 | - 13.11 202 | - 14.3 203 | - 14.4 204 | - 14.5 205 | - 14.6 206 | - 14.7 207 | - 14.8 208 | - 15.2 209 | - 15.3 210 | DBExportLogToCloudwatch: 211 | Default: "true" 212 | AllowedValues: 213 | - "true" 214 | - "false" 215 | Description: Whether or not to export Database logs to CloudWatch 216 | Type: String 217 | DBInstanceClass: 218 | Description: >- 219 | The database instance type. 220 | Please see supported instance types for the Aurora PostgreSQL version selected https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.DBInstanceClass.html#Concepts.DBInstanceClass.SupportAurora 221 | Type: String 222 | Default: db.r6g.2xlarge 223 | AllowedValues: 224 | - db.r5.12xlarge 225 | - db.r5.16xlarge 226 | - db.r5.24xlarge 227 | - db.r5.2xlarge 228 | - db.r5.4xlarge 229 | - db.r5.8xlarge 230 | - db.r5.large 231 | - db.r5.xlarge 232 | - db.r6g.12xlarge 233 | - db.r6g.16xlarge 234 | - db.r6g.2xlarge 235 | - db.r6g.4xlarge 236 | - db.r6g.8xlarge 237 | - db.r6g.large 238 | - db.r6g.xlarge 239 | - db.r6i.12xlarge 240 | - db.r6i.16xlarge 241 | - db.r6i.24xlarge 242 | - db.r6i.2xlarge 243 | - db.r6i.32xlarge 244 | - db.r6i.4xlarge 245 | - db.r6i.8xlarge 246 | - db.r6i.large 247 | - db.r6i.xlarge 248 | - db.r7g.12xlarge 249 | - db.r7g.16xlarge 250 | - db.r7g.2xlarge 251 | - db.r7g.4xlarge 252 | - db.r7g.8xlarge 253 | - db.r7g.large 254 | - db.r7g.xlarge 255 | - db.serverless 256 | - db.t3.large 257 | - db.t3.medium 258 | - db.t4g.large 259 | - db.t4g.medium 260 | - db.x2g.12xlarge 261 | - db.x2g.16xlarge 262 | - db.x2g.2xlarge 263 | - db.x2g.4xlarge 264 | - db.x2g.8xlarge 265 | - db.x2g.large 266 | - db.x2g.xlarge 267 | DBMasterUsername: 268 | AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" 269 | ConstraintDescription: "Must begin with a letter and contain only alphanumeric characters." 270 | Description: (Required) The database master username. Must begin with a letter and contain only alphanumeric characters. 271 | MaxLength: "16" 272 | MinLength: "1" 273 | Type: String 274 | DBMasterUserPassword: 275 | AllowedPattern: ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ 276 | ConstraintDescription: Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol 277 | Description: (Required) The database master user password. Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol. Ignored if 'Manage DB master user password with AWS Secrets Manager' option is set to 'true'. 278 | MaxLength: "99" 279 | MinLength: "8" 280 | NoEcho: "True" 281 | Type: String 282 | DBMultiAZ: 283 | AllowedValues: 284 | - "true" 285 | - "false" 286 | Default: "true" 287 | Description: "Specifies if the database instance is a multiple Availability Zone deployment." 288 | Type: String 289 | DBName: 290 | AllowedPattern: "[a-zA-Z0-9]*" 291 | Description: "Name of the initial PostgreSQL database to create." 292 | MaxLength: "63" 293 | MinLength: "0" 294 | Default: 'sampleapp' 295 | Type: String 296 | DBPort: 297 | Default: 5432 298 | Description: "The port the instance will listen for connections on." 299 | Type: Number 300 | ConstraintDescription: 'Must be in the range [1150-65535].' 301 | MinValue: 1150 302 | MaxValue: 65535 303 | DBStorageEncrypted: 304 | Default: "true" 305 | AllowedValues: 306 | - "true" 307 | - "false" 308 | Description: "To disable database encryption, choose 'false'." 309 | Type: String 310 | EnableEnhancedMonitoring: 311 | AllowedValues: 312 | - "true" 313 | - "false" 314 | Default: "true" 315 | Description: "Set to 'true' to enable Enahanced Monitoring." 316 | Type: String 317 | EnableEventSubscription: 318 | AllowedValues: 319 | - "true" 320 | - "false" 321 | Default: "true" 322 | Description: "Enables event subscription to Notification List." 323 | Type: String 324 | EnableIAMDBAuth: 325 | AllowedValues: 326 | - "true" 327 | - "false" 328 | Default: "true" 329 | Description: "Enables IAM Database Authentication." 330 | Type: String 331 | EnablePerformanceInsights: 332 | AllowedValues: 333 | - "true" 334 | - "false" 335 | Default: "true" 336 | Description: "Enables RDS Performance Insights." 337 | Type: String 338 | ManageMasterUserPassword: 339 | AllowedValues: 340 | - "true" 341 | - "false" 342 | Default: "true" 343 | Description: "Set to 'true' to manage the master user password with AWS Secrets Manager." 344 | Type: String 345 | MonitoringInterval: 346 | Default: 10 347 | Description: "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the database." 348 | Type: Number 349 | AllowedValues: 350 | - 1 351 | - 5 352 | - 10 353 | - 15 354 | - 30 355 | - 60 356 | ConstraintDescription: Valid values are 0, 1, 5, 10, 15, 30, 60 seconds. 357 | NotificationList: 358 | Type: String 359 | Default: 'db-ops@domain.com' 360 | Description: The email notification used to configure an SNS topic for sending CloudWatch alarm and RDS event notifications. 361 | AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' 362 | ConstraintDescription: Provide a valid email address. 363 | PerformanceInsightsRetentionPeriod: 364 | Default: 7 365 | Description: "The number of days for which automatic database snapshots are retained. Specify days based on (month * 31), where month is a number of months from 1-23." 366 | Type: Number 367 | MinValue: 7 368 | MaxValue: 713 369 | PubliclyAccessible: 370 | AllowedValues: 371 | - "true" 372 | - "false" 373 | Default: "false" 374 | Description: "Indicates whether the DB instance is an internet-facing instance." 375 | Type: String 376 | ServerlessMinCapacity: 377 | Default: 8 378 | Description: >- 379 | Required if "db.serverless" is chosen as the database instance class. 380 | Specify minimum Aurora Serverless v2 Capacity Units (ACUs) in the range of 0.5 to 128 in increments of 0.5. 381 | 1 ACU provides 2 GiB of memory and corresponding compute and networking. 382 | Type: String 383 | AllowedPattern: ([0-9]?(\.(0|5))?|[1-8][0-9](\.(0|5))?|9[0-9]|1[01][0-9](\.(0|5))?|12[0-7](\.(0|5))?|128) 384 | ConstraintDescription: "Only values from 0.5 to 128, in increments of 0.5" 385 | ServerlessMaxCapacity: 386 | Default: 64 387 | Description: >- 388 | Required if "db.serverless" is chosen as the database instance class. 389 | Specify maximum Aurora Serverless v2 Capacity Units (ACUs) in the range of 1 to 128 in increments of 0.5. 390 | 1 ACU provides 2 GiB of memory and corresponding compute and networking. 391 | Type: String 392 | AllowedPattern: ([1-9]?(\.(0|5))?|[1-8][0-9](\.(0|5))?|9[0-9]|1[01][0-9](\.(0|5))?|12[0-7](\.(0|5))?|128) 393 | ConstraintDescription: "Only values from 1 to 128, in increments of 0.5" 394 | StorageType: 395 | Type: String 396 | Description: >- 397 | Designates the storage type to associate with the Aurora DB cluster. Choose aurora-iopt1 for Aurora I/O Optimized storage. 398 | For details refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type 399 | AllowedValues: 400 | - aurora 401 | - aurora-iopt1 402 | Default: aurora 403 | Subnet1ID: 404 | Description: The ID of the private subnet in Availability Zone 1. 405 | Type: 'AWS::EC2::Subnet::Id' 406 | Subnet2ID: 407 | Description: The ID of the private subnet in Availability Zone 2. 408 | Type: 'AWS::EC2::Subnet::Id' 409 | VPCID: 410 | Description: "ID of the VPC you are deploying Aurora into (e.g., vpc-0343606e)." 411 | Type: 'AWS::EC2::VPC::Id' 412 | Default: '' 413 | 414 | #Optional parameters 415 | Application: 416 | Type: String 417 | Default: "" 418 | Description: "[Optional] Name of the application for the associated AWS resource." 419 | ApplicationVersion: 420 | Type: String 421 | Description: "[Optional] Version of the application." 422 | Default: "" 423 | Compliance: 424 | Type: String 425 | Default: "" 426 | Description: "[Optional] Compliance level for the AWS resource." 427 | AllowedValues: 428 | - hipaa 429 | - sox 430 | - fips 431 | - other 432 | - "" 433 | Confidentiality: 434 | Type: String 435 | Default: "" 436 | Description: "[Optional] Confidentiality classification of the data that is associated with the AWS resource." 437 | AllowedValues: 438 | - public 439 | - private 440 | - confidential 441 | - pii/phi 442 | - none 443 | - "" 444 | EnvironmentStage: 445 | Type: String 446 | Description: "[Optional] Environment stage of the associated AWS resource." 447 | AllowedValues: 448 | - dev 449 | - test 450 | - pre-prod 451 | - prod 452 | - none 453 | Default: none 454 | ProjectCostCenter: 455 | Type: String 456 | Default: "" 457 | Description: "[Optional] Designates the cost center associated with the project of the given AWS resource." 458 | 459 | ############################################################################### 460 | # Mappings 461 | ############################################################################### 462 | Mappings: 463 | DBFamilyMap: 464 | '11.13': 465 | family: aurora-postgresql11 466 | '11.14': 467 | family: aurora-postgresql11 468 | '11.15': 469 | family: aurora-postgresql11 470 | '11.16': 471 | family: aurora-postgresql11 472 | '11.17': 473 | family: aurora-postgresql11 474 | '11.18': 475 | family: aurora-postgresql11 476 | '11.19': 477 | family: aurora-postgresql11 478 | '11.20': 479 | family: aurora-postgresql11 480 | '12.8': 481 | family: aurora-postgresql12 482 | '12.9': 483 | family: aurora-postgresql12 484 | '12.10': 485 | family: aurora-postgresql12 486 | '12.11': 487 | family: aurora-postgresql12 488 | '12.12': 489 | family: aurora-postgresql12 490 | '12.13': 491 | family: aurora-postgresql12 492 | '12.14': 493 | family: aurora-postgresql12 494 | '12.15': 495 | family: aurora-postgresql12 496 | '13.4': 497 | family: aurora-postgresql13 498 | '13.5': 499 | family: aurora-postgresql13 500 | '13.6': 501 | family: aurora-postgresql13 502 | '13.7': 503 | family: aurora-postgresql13 504 | '13.8': 505 | family: aurora-postgresql13 506 | '13.9': 507 | family: aurora-postgresql13 508 | '13.10': 509 | family: aurora-postgresql13 510 | '13.11': 511 | family: aurora-postgresql13 512 | '14.3': 513 | family: aurora-postgresql14 514 | '14.4': 515 | family: aurora-postgresql14 516 | '14.5': 517 | family: aurora-postgresql14 518 | '14.6': 519 | family: aurora-postgresql14 520 | '14.7': 521 | family: aurora-postgresql14 522 | '14.8': 523 | family: aurora-postgresql14 524 | '15.2': 525 | family: aurora-postgresql15 526 | '15.3': 527 | family: aurora-postgresql15 528 | 529 | ############################################################################### 530 | # Conditions 531 | ############################################################################### 532 | Conditions: 533 | CreateSecurityGroup: !Equals 534 | - !Ref CustomDBSecurityGroup 535 | - '' 536 | CreateKMSKey: !Or 537 | - !Condition UseDatabaseEncryption 538 | - !Condition UseSecretsManager 539 | - !Condition EnablePI 540 | DoCreateDatabase: 541 | !Not 542 | - !Equals 543 | - !Ref DBName 544 | - '' 545 | EnableDBLogExport: 546 | !Equals 547 | - !Ref DBExportLogToCloudwatch 548 | - "true" 549 | IsASV2: 550 | !Equals 551 | - !Ref DBInstanceClass 552 | - 'db.serverless' 553 | IsDBMultiAZ: !Equals 554 | - !Ref DBMultiAZ 555 | - 'true' 556 | EventSubscription: !Equals 557 | - !Ref EnableEventSubscription 558 | - 'true' 559 | EnableEM: !Equals 560 | - !Ref EnableEnhancedMonitoring 561 | - 'true' 562 | EnablePI: !Equals 563 | - !Ref EnablePerformanceInsights 564 | - 'true' 565 | UseDatabaseEncryption: !Equals 566 | - !Ref DBStorageEncrypted 567 | - "true" 568 | UseSecretsManager: !Equals 569 | - !Ref ManageMasterUserPassword 570 | - "true" 571 | 572 | ############################################################################### 573 | # Rules 574 | ############################################################################### 575 | Rules: 576 | SubnetsInVPC: 577 | Assertions: 578 | - Assert: !Equals [!ValueOf ["Subnet1ID", "VpcId"], !Ref VPCID] 579 | AssertDescription: "Private subnet 1 ID doesn't belong to the specified VPC" 580 | - Assert: !Equals [!ValueOf ["Subnet2ID", "VpcId"], !Ref VPCID] 581 | AssertDescription: "Private subnet 2 ID doesn't belong to the specified VPC" 582 | SubnetsUnique: 583 | Assertions: 584 | - Assert: !Not [!Equals [!Ref Subnet1ID, !Ref Subnet2ID]] 585 | AssertDescription: "Please provide 2 distinct private subnets" 586 | 587 | ############################################################################### 588 | # Resources 589 | ############################################################################### 590 | Resources: 591 | 592 | AuroraDBSubnetGroup: 593 | Properties: 594 | DBSubnetGroupDescription: "Subnets available for the Amazon Aurora database cluster" 595 | SubnetIds: 596 | - !Ref Subnet1ID 597 | - !Ref Subnet2ID 598 | Type: "AWS::RDS::DBSubnetGroup" 599 | 600 | RDSSecurityGroup: 601 | Condition: CreateSecurityGroup 602 | Properties: 603 | GroupDescription: "Allow access to database port" 604 | SecurityGroupEgress: 605 | - 606 | CidrIp: 0.0.0.0/0 607 | FromPort: -1 608 | IpProtocol: '-1' 609 | ToPort: -1 610 | Description: Allows all outbound traffic 611 | SecurityGroupIngress: 612 | - 613 | CidrIp: !Ref DBAccessCIDR 614 | FromPort: !Ref DBPort 615 | IpProtocol: tcp 616 | ToPort: !Ref DBPort 617 | Description: Access from the DBAccessCIDR specified 618 | VpcId: !Ref VPCID 619 | Tags: 620 | - Key: Name 621 | Value: !Sub RDSSecurityGroup-${AWS::StackName} 622 | Type: "AWS::EC2::SecurityGroup" 623 | 624 | RDSSecurityGroupIngress: 625 | Condition: CreateSecurityGroup 626 | Properties: 627 | GroupId: !GetAtt 'RDSSecurityGroup.GroupId' 628 | IpProtocol: '-1' 629 | SourceSecurityGroupId: !Ref RDSSecurityGroup 630 | Description: 'Self Reference' 631 | Type: 'AWS::EC2::SecurityGroupIngress' 632 | 633 | DBSNSTopic: 634 | Type: AWS::SNS::Topic 635 | Properties: 636 | KmsMasterKeyId: !If [UseDatabaseEncryption, !Ref EncryptionKey, !Ref 'AWS::NoValue'] 637 | Subscription: 638 | - Endpoint: !Ref NotificationList 639 | Protocol: email 640 | 641 | EncryptionKey: 642 | Metadata: 643 | cfn-lint: 644 | config: 645 | ignore_checks: 646 | - EIAMPolicyActionWildcard 647 | ignore_reasons: 648 | - EIAMPolicyActionWildcard: "All KMS actions allowed by design" 649 | Condition: CreateKMSKey 650 | DeletionPolicy: Retain 651 | UpdateReplacePolicy: Retain 652 | Type: AWS::KMS::Key 653 | Properties: 654 | Description: !Join [ "- ", [ "KMS Key for Cloudformation Stack ", !Ref AWS::StackName ] ] 655 | EnableKeyRotation: true 656 | KeyPolicy: 657 | Version: 2012-10-17 658 | Id: !Ref AWS::StackName 659 | Statement: 660 | - Sid: Enable IAM User Permissions 661 | Effect: Allow 662 | Principal: 663 | AWS: 664 | - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" 665 | Action: 'kms:*' 666 | Resource: '*' 667 | - Sid: Enable RDS and CloudWatch Service Permissions 668 | Effect: Allow 669 | Principal: 670 | Service: 671 | - 'events.rds.amazonaws.com' 672 | - 'cloudwatch.amazonaws.com' 673 | - 'events.amazonaws.com' 674 | Action: 675 | - 'kms:GenerateDataKey*' 676 | - 'kms:Decrypt' 677 | Resource: '*' 678 | Tags: 679 | - Key: Name 680 | Value: !Ref AWS::StackName 681 | 682 | EncryptionKeyAlias: 683 | Type: AWS::KMS::Alias 684 | Condition: CreateKMSKey 685 | Properties: 686 | AliasName: !Sub "alias/${AWS::StackName}" 687 | TargetKeyId: !Ref EncryptionKey 688 | 689 | MRole: 690 | Type: AWS::IAM::Role 691 | Condition: EnableEM 692 | Properties: 693 | AssumeRolePolicyDocument: 694 | Version: "2012-10-17" 695 | Statement: 696 | - 697 | Effect: "Allow" 698 | Principal: 699 | Service: 700 | - "monitoring.rds.amazonaws.com" 701 | Action: 702 | - "sts:AssumeRole" 703 | Path: "/" 704 | ManagedPolicyArns: 705 | - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole 706 | 707 | APGDBCPG: 708 | Type: AWS::RDS::DBClusterParameterGroup 709 | Properties: 710 | Description: !Join [ "- ", [ "Aurora PG Cluster Parameter Group for Cloudformation Stack ", !Ref AWS::StackName ] ] 711 | Family: !FindInMap [DBFamilyMap, !Ref DBEngineVersion, "family"] 712 | Parameters: 713 | rds.force_ssl: 0 714 | APGDBPG: 715 | Type: AWS::RDS::DBParameterGroup 716 | Properties: 717 | Description: !Join [ "- ", [ "Aurora PG Database Instance Parameter Group for Cloudformation Stack ", !Ref AWS::StackName ] ] 718 | Family: !FindInMap [DBFamilyMap, !Ref DBEngineVersion, "family"] 719 | Parameters: 720 | log_rotation_age: '1440' 721 | log_rotation_size: '102400' 722 | 723 | 724 | AuroraDBCluster: 725 | Metadata: 726 | cfn-lint: 727 | config: 728 | ignore_checks: 729 | - ERDSStorageEncryptionEnabled 730 | - E2521 731 | ignore_reasons: 732 | - ERDSStorageEncryptionEnabled: "StorageEncryption is conditional" 733 | - E2521: "When ManageMasterUserPassword is set to true, MasterUserPassword is ignored" 734 | Type: AWS::RDS::DBCluster 735 | DeletionPolicy: Snapshot 736 | UpdateReplacePolicy: Snapshot 737 | Properties: 738 | BackupRetentionPeriod: !Ref DBBackupRetentionPeriod 739 | DatabaseName: 740 | !If 741 | - DoCreateDatabase 742 | - !Ref DBName 743 | - !Ref AWS::NoValue 744 | DBClusterIdentifier: !Sub apg-${AWS::StackName} 745 | DBClusterParameterGroupName: !Ref APGDBCPG 746 | DBSubnetGroupName: !Ref AuroraDBSubnetGroup 747 | EnableCloudwatchLogsExports: 748 | - !If [EnableDBLogExport, postgresql, !Ref 'AWS::NoValue'] 749 | EnableIAMDatabaseAuthentication: !Ref EnableIAMDBAuth 750 | Engine: aurora-postgresql 751 | EngineVersion: !Ref DBEngineVersion 752 | KmsKeyId: !If [UseDatabaseEncryption, !GetAtt EncryptionKey.Arn, !Ref 'AWS::NoValue'] 753 | MasterUsername: !Ref DBMasterUsername 754 | ManageMasterUserPassword: !Ref ManageMasterUserPassword 755 | MasterUserPassword: !If [UseSecretsManager, !Ref 'AWS::NoValue', !Ref DBMasterUserPassword] 756 | MasterUserSecret: 757 | KmsKeyId: !If [UseSecretsManager, !Ref EncryptionKey, !Ref 'AWS::NoValue'] 758 | Port: !Ref DBPort 759 | ServerlessV2ScalingConfiguration: 760 | MinCapacity: !If [IsASV2, !Ref ServerlessMinCapacity, !Ref 'AWS::NoValue'] 761 | MaxCapacity: !If [IsASV2, !Ref ServerlessMaxCapacity, !Ref 'AWS::NoValue'] 762 | StorageEncrypted: !If [UseDatabaseEncryption, !Ref DBStorageEncrypted, !Ref 'AWS::NoValue'] 763 | StorageType: !Ref StorageType 764 | Tags: 765 | - 766 | Key: Name 767 | Value: !Sub APG-${AWS::StackName} 768 | - 769 | Key: EnvironmentStage 770 | Value: !Ref EnvironmentStage 771 | - 772 | Key: Application 773 | Value: !Ref Application 774 | - 775 | Key: ApplicationVersion 776 | Value: !Ref ApplicationVersion 777 | - 778 | Key: ProjectCostCenter 779 | Value: !Ref ProjectCostCenter 780 | - 781 | Key: Confidentiality 782 | Value: !Ref Confidentiality 783 | - 784 | Key: Compliance 785 | Value: !Ref Compliance 786 | VpcSecurityGroupIds: 787 | !If 788 | - CreateSecurityGroup 789 | - [!Ref RDSSecurityGroup] 790 | - [!Ref CustomDBSecurityGroup] 791 | 792 | Inst1: 793 | Type: AWS::RDS::DBInstance 794 | Metadata: 795 | cfn-lint: 796 | config: 797 | ignore_checks: 798 | - ERDSDBInstancePubliclyAccessible 799 | - I3011 800 | ignore_reasons: 801 | - ERDSDBInstancePubliclyAccessible: "PubliclyAccessible is false by default" 802 | - I3011: "Update/Deletion policy is set at the cluster level for Amazon Aurora" 803 | Properties: 804 | AutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade 805 | DBClusterIdentifier: !Ref AuroraDBCluster 806 | DBInstanceClass: !Ref DBInstanceClass 807 | DBParameterGroupName: !Ref APGDBPG 808 | EnablePerformanceInsights: !Ref EnablePerformanceInsights 809 | Engine: aurora-postgresql 810 | MonitoringInterval: !If [EnableEM, !Ref MonitoringInterval, !Ref 'AWS::NoValue'] 811 | MonitoringRoleArn: !If [EnableEM, !GetAtt MRole.Arn, !Ref 'AWS::NoValue'] 812 | PerformanceInsightsKMSKeyId: !If [EnablePI, !Ref EncryptionKey, !Ref 'AWS::NoValue'] 813 | PerformanceInsightsRetentionPeriod: !If [EnablePI, !Ref PerformanceInsightsRetentionPeriod, !Ref 'AWS::NoValue'] 814 | PubliclyAccessible: !Ref PubliclyAccessible 815 | Tags: 816 | - 817 | Key: Name 818 | Value: !Sub APG-${AWS::StackName} 819 | - 820 | Key: EnvironmentStage 821 | Value: !Ref EnvironmentStage 822 | - 823 | Key: Application 824 | Value: !Ref Application 825 | - 826 | Key: ApplicationVersion 827 | Value: !Ref ApplicationVersion 828 | - 829 | Key: ProjectCostCenter 830 | Value: !Ref ProjectCostCenter 831 | - 832 | Key: Confidentiality 833 | Value: !Ref Confidentiality 834 | - 835 | Key: Compliance 836 | Value: !Ref Compliance 837 | 838 | Inst2: 839 | Type: AWS::RDS::DBInstance 840 | Condition: IsDBMultiAZ 841 | Metadata: 842 | cfn-lint: 843 | config: 844 | ignore_checks: 845 | - ERDSDBInstancePubliclyAccessible 846 | - I3011 847 | ignore_reasons: 848 | - ERDSDBInstancePubliclyAccessible: "PubliclyAccessible is false by default" 849 | - I3011: "Update/Deletion policy is set at the cluster level for Amazon Aurora" 850 | Properties: 851 | AutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade 852 | DBClusterIdentifier: !Ref AuroraDBCluster 853 | DBInstanceClass: !Ref DBInstanceClass 854 | DBParameterGroupName: !Ref APGDBPG 855 | EnablePerformanceInsights: !Ref EnablePerformanceInsights 856 | Engine: aurora-postgresql 857 | MonitoringInterval: !If [EnableEM, !Ref MonitoringInterval, !Ref 'AWS::NoValue'] 858 | MonitoringRoleArn: !If [EnableEM, !GetAtt MRole.Arn, !Ref 'AWS::NoValue'] 859 | PerformanceInsightsKMSKeyId: !If [EnablePI, !Ref EncryptionKey, !Ref 'AWS::NoValue'] 860 | PerformanceInsightsRetentionPeriod: !If [EnablePI, !Ref PerformanceInsightsRetentionPeriod, !Ref 'AWS::NoValue'] 861 | PubliclyAccessible: !Ref PubliclyAccessible 862 | Tags: 863 | - 864 | Key: Name 865 | Value: !Sub APG-${AWS::StackName} 866 | - 867 | Key: EnvironmentStage 868 | Value: !Ref EnvironmentStage 869 | - 870 | Key: Application 871 | Value: !Ref Application 872 | - 873 | Key: ApplicationVersion 874 | Value: !Ref ApplicationVersion 875 | - 876 | Key: ProjectCostCenter 877 | Value: !Ref ProjectCostCenter 878 | - 879 | Key: Confidentiality 880 | Value: !Ref Confidentiality 881 | - 882 | Key: Compliance 883 | Value: !Ref Compliance 884 | 885 | CPUUtilizationAlarm1: 886 | Type: "AWS::CloudWatch::Alarm" 887 | Properties: 888 | ActionsEnabled: true 889 | AlarmActions: 890 | - Ref: DBSNSTopic 891 | AlarmDescription: 'CPU_Utilization' 892 | Dimensions: 893 | - Name: DBInstanceIdentifier 894 | Value: 895 | Ref: Inst1 896 | MetricName: CPUUtilization 897 | Statistic: Maximum 898 | Namespace: 'AWS/RDS' 899 | Threshold: 80 900 | Unit: Percent 901 | ComparisonOperator: 'GreaterThanOrEqualToThreshold' 902 | Period: 60 903 | EvaluationPeriods: 5 904 | TreatMissingData: 'notBreaching' 905 | 906 | CPUUtilizationAlarm2: 907 | Condition: IsDBMultiAZ 908 | Type: "AWS::CloudWatch::Alarm" 909 | Properties: 910 | ActionsEnabled: true 911 | AlarmActions: 912 | - Ref: DBSNSTopic 913 | AlarmDescription: 'CPU_Utilization' 914 | Dimensions: 915 | - Name: DBInstanceIdentifier 916 | Value: 917 | Ref: Inst2 918 | MetricName: CPUUtilization 919 | Statistic: Maximum 920 | Namespace: 'AWS/RDS' 921 | Threshold: 80 922 | Unit: Percent 923 | ComparisonOperator: 'GreaterThanOrEqualToThreshold' 924 | Period: 60 925 | EvaluationPeriods: 5 926 | TreatMissingData: 'notBreaching' 927 | 928 | MaxUsedTxIDsAlarm1: 929 | Type: "AWS::CloudWatch::Alarm" 930 | Properties: 931 | ActionsEnabled: true 932 | AlarmActions: 933 | - Ref: DBSNSTopic 934 | AlarmDescription: 'Maximum Used Transaction IDs' 935 | Dimensions: 936 | - Name: DBInstanceIdentifier 937 | Value: 938 | Ref: Inst1 939 | MetricName: 'MaximumUsedTransactionIDs' 940 | Statistic: Average 941 | Namespace: 'AWS/RDS' 942 | Threshold: 600000000 943 | Unit: Count 944 | ComparisonOperator: 'GreaterThanOrEqualToThreshold' 945 | Period: 60 946 | EvaluationPeriods: 5 947 | TreatMissingData: 'notBreaching' 948 | 949 | MaxUsedTxIDsAlarm2: 950 | Condition: IsDBMultiAZ 951 | Type: "AWS::CloudWatch::Alarm" 952 | Properties: 953 | ActionsEnabled: true 954 | AlarmActions: 955 | - Ref: DBSNSTopic 956 | AlarmDescription: 'Maximum Used Transaction IDs' 957 | Dimensions: 958 | - Name: DBInstanceIdentifier 959 | Value: 960 | Ref: Inst2 961 | MetricName: 'MaximumUsedTransactionIDs' 962 | Statistic: Average 963 | Namespace: 'AWS/RDS' 964 | Threshold: 600000000 965 | Unit: Count 966 | ComparisonOperator: 'GreaterThanOrEqualToThreshold' 967 | Period: 60 968 | EvaluationPeriods: 5 969 | TreatMissingData: 'notBreaching' 970 | 971 | FreeLocalStorageAlarm1: 972 | Type: "AWS::CloudWatch::Alarm" 973 | Properties: 974 | ActionsEnabled: true 975 | AlarmActions: 976 | - Ref: DBSNSTopic 977 | AlarmDescription: 'Free Local Storage' 978 | Dimensions: 979 | - Name: DBInstanceIdentifier 980 | Value: 981 | Ref: Inst1 982 | MetricName: 'FreeLocalStorage' 983 | Statistic: Average 984 | Namespace: 'AWS/RDS' 985 | Threshold: 5368709120 986 | Unit: Bytes 987 | ComparisonOperator: 'LessThanOrEqualToThreshold' 988 | Period: 60 989 | EvaluationPeriods: 5 990 | TreatMissingData: 'notBreaching' 991 | 992 | FreeLocalStorageAlarm2: 993 | Condition: IsDBMultiAZ 994 | Type: "AWS::CloudWatch::Alarm" 995 | Properties: 996 | ActionsEnabled: true 997 | AlarmActions: 998 | - Ref: DBSNSTopic 999 | AlarmDescription: 'Free Local Storage' 1000 | Dimensions: 1001 | - Name: DBInstanceIdentifier 1002 | Value: 1003 | Ref: Inst2 1004 | MetricName: 'FreeLocalStorage' 1005 | Statistic: Average 1006 | Namespace: 'AWS/RDS' 1007 | Threshold: 5368709120 1008 | Unit: Bytes 1009 | ComparisonOperator: 'LessThanOrEqualToThreshold' 1010 | Period: 60 1011 | EvaluationPeriods: 5 1012 | TreatMissingData: 'notBreaching' 1013 | 1014 | DatabaseClusterEventSubscription: 1015 | Condition: EventSubscription 1016 | Type: 'AWS::RDS::EventSubscription' 1017 | Properties: 1018 | EventCategories: 1019 | - configuration change 1020 | - creation 1021 | - deletion 1022 | - failover 1023 | - failure 1024 | - maintenance 1025 | - notification 1026 | SnsTopicArn: !Ref DBSNSTopic 1027 | SourceIds: [!Ref AuroraDBCluster] 1028 | SourceType: 'db-cluster' 1029 | 1030 | DatabaseInstanceEventSubscription: 1031 | Condition: EventSubscription 1032 | Type: 'AWS::RDS::EventSubscription' 1033 | Properties: 1034 | EventCategories: 1035 | - availability 1036 | - configuration change 1037 | - creation 1038 | - deletion 1039 | - failure 1040 | - low storage 1041 | - maintenance 1042 | - notification 1043 | - recovery 1044 | - security patching 1045 | SnsTopicArn: !Ref DBSNSTopic 1046 | SourceIds: 1047 | - !Ref Inst1 1048 | - !If [IsDBMultiAZ, !Ref Inst2, !Ref "AWS::NoValue"] 1049 | SourceType: 'db-instance' 1050 | 1051 | DBParameterGroupEventSubscription: 1052 | Condition: EventSubscription 1053 | Type: 'AWS::RDS::EventSubscription' 1054 | Properties: 1055 | EventCategories: 1056 | - "configuration change" 1057 | SnsTopicArn: !Ref DBSNSTopic 1058 | SourceIds: 1059 | - !Ref APGDBPG 1060 | SourceType: 'db-parameter-group' 1061 | 1062 | ############################################################################### 1063 | # Outputs 1064 | ############################################################################### 1065 | Outputs: 1066 | DBName: 1067 | Condition: DoCreateDatabase 1068 | Description: "Amazon Aurora database name" 1069 | Value: !Ref DBName 1070 | DBMasterUsername: 1071 | Description: "Amazon Aurora database master username" 1072 | Value: !Ref DBMasterUsername 1073 | MasterUserSecret: 1074 | Condition: UseSecretsManager 1075 | Description: "Master Credentials ARN" 1076 | Value: !Sub "${AuroraDBCluster.MasterUserSecret.SecretArn}" 1077 | RDSEndPointAddress: 1078 | Description: "Amazon Aurora write endpoint" 1079 | Value: !Sub "${AuroraDBCluster.Endpoint.Address}" 1080 | RDSReadEndPointAddress: 1081 | Description: "Amazon Aurora read endpoint" 1082 | Value: !Sub "${AuroraDBCluster.ReadEndpoint.Address}" 1083 | RDSEndPointPort: 1084 | Description: "Amazon Aurora port" 1085 | Value: !Sub "${AuroraDBCluster.Endpoint.Port}" 1086 | RDSEndPoints: 1087 | Description: "Full Amazon Aurora write endpoint" 1088 | Value: !If [DoCreateDatabase, !Sub "${AuroraDBCluster.Endpoint.Address}:${AuroraDBCluster.Endpoint.Port}/${DBName}", !Sub "${AuroraDBCluster.Endpoint.Address}:${AuroraDBCluster.Endpoint.Port}/postgres"] 1089 | RDSEncryptionKey: 1090 | Condition: UseDatabaseEncryption 1091 | Description: "The alias of the encryption key created for RDS" 1092 | Value: !Ref EncryptionKeyAlias --------------------------------------------------------------------------------