-
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsample.yaml
executable file
·156 lines (145 loc) · 4.36 KB
/
sample.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
Description: Sample stack for RDS database init
Parameters:
DatabaseInstanceName:
Type: String
Description: Database instance name
Default: sampledbinstance
VpcId:
Type: AWS::EC2::VPC::Id
Description: The VPC to deploy into
SubnetIds:
Type: List<AWS::EC2::Subnet::Id>
Description: List of subnet IDs to assign to the database and Lambda
Resources:
DatabaseInitLambdaSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Sample DB init Lambda security group"
VpcId: !Ref VpcId
SecurityGroupEgress:
- IpProtocol: udp
FromPort: 53
ToPort: 53
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 5432
ToPort: 5432
CidrIp: 0.0.0.0/0
DatabaseSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Sample DB init DB security group"
VpcId: !Ref VpcId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 5432
ToPort: 5432
CidrIp: 0.0.0.0/0
DatabaseSubnetGroup:
Type: "AWS::RDS::DBSubnetGroup"
Properties:
DBSubnetGroupDescription: "Sample Subnet Group for RDS database init"
SubnetIds: !Ref SubnetIds
DatabaseMasterCredential:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: sampledbmastercredentials
GenerateSecretString:
SecretStringTemplate: '{"username": "mydbadmin"}'
GenerateStringKey: "password"
PasswordLength: 24
ExcludePunctuation: true
DatabaseInstance:
Type: AWS::RDS::DBInstance
DependsOn:
- DatabaseMasterCredential
Properties:
DBInstanceIdentifier: !Ref DatabaseInstanceName
DBInstanceClass: "db.t2.small"
Engine: postgres
Port: 5432
AllocatedStorage: 100
MasterUsername: "{{resolve:secretsmanager:sampledbmastercredentials:SecretString:username}}"
MasterUserPassword: "{{resolve:secretsmanager:sampledbmastercredentials:SecretString:password}}"
EngineVersion: "9.6.9"
StorageType: gp2
DBSubnetGroupName: !Ref DatabaseSubnetGroup
VPCSecurityGroups:
- !Ref DatabaseSecurityGroup
DatabaseInitLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument: |
{
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}]
}
Policies:
- PolicyName: !Sub DatabaseInitLambdaRole-policy
PolicyDocument: |
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"ec2:*",
"logs:*",
"secretsmanager:*"
],
"Resource": "*"
}
]
}
DatabaseInitLambda:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role: !GetAtt DatabaseInitLambdaRole.Arn
ReservedConcurrentExecutions: 1
Runtime: python3.6
Timeout: 60
Code:
S3Bucket: kablamo-rds-custom-resource
S3Key: app.zip
VpcConfig:
SecurityGroupIds:
- !Ref DatabaseInitLambdaSecurityGroup
SubnetIds: !Ref SubnetIds
DatabaseInit:
Type: "Custom::DatabaseInit"
DependsOn:
- DatabaseMasterCredential
Properties:
ServiceToken: !GetAtt DatabaseInitLambda.Arn
StackName: !Ref "AWS::StackName"
RdsProperties:
EndpointAddress: !GetAtt DatabaseInstance.Endpoint.Address
MasterSecretId: "sampledbmastercredentials"
Execute:
- DatabaseName: "postgres"
Scripts:
- 'CREATE DATABASE "mydb";'
- DatabaseName: "mydb"
Scripts:
- 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp";'
DatabaseUsers:
- Name: mysuperuser
SuperUser: true
SecretId: "mysuperusercredential"
- Name: myapp
SecretId: "myappcredential"
Grants:
- Database: postgres
Permissions: CONNECT
- Database: mydb
Permissions: ALL PRIVILEGES