-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathrds-mssql.cfndsl.rb
173 lines (155 loc) · 6.33 KB
/
rds-mssql.cfndsl.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
CloudFormation do
Description "#{component_name} - #{component_version}"
tags = []
tags << { Key: 'Environment', Value: Ref(:EnvironmentName) }
tags << { Key: 'EnvironmentType', Value: Ref(:EnvironmentType) }
extra_tags.each { |key,value| tags << { Key: key, Value: value } } if defined? extra_tags
ingress = []
security_group_rules.each do |rule|
sg_rule = {
FromPort: 1433,
IpProtocol: 'TCP',
ToPort: 1433,
}
if rule['security_group_id']
sg_rule['SourceSecurityGroupId'] = FnSub(rule['security_group_id'])
else
sg_rule['CidrIp'] = FnSub(rule['ip'])
end
if rule['desc']
sg_rule['Description'] = FnSub(rule['desc'])
end
ingress << sg_rule
end if defined?(security_group_rules)
EC2_SecurityGroup "SecurityGroupRDS" do
VpcId Ref('VPCId')
GroupDescription FnJoin(' ', [ Ref(:EnvironmentName), component_name, 'security group' ])
SecurityGroupIngress ingress if ingress.any?
SecurityGroupEgress ([
{
CidrIp: "0.0.0.0/0",
Description: "outbound all for ports",
IpProtocol: -1,
}
])
Tags tags + [{ Key: 'Name', Value: FnJoin('-', [ Ref(:EnvironmentName), component_name, 'security-group' ])}]
end
Output(:SecurityGroup) {
Value(Ref(:SecurityGroupRDS))
Export FnSub("${EnvironmentName}-#{external_parameters[:component_name]}-SecurityGroup")
}
RDS_DBSubnetGroup 'SubnetGroupRDS' do
DBSubnetGroupDescription FnJoin(' ', [ Ref(:EnvironmentName), component_name, 'subnet group' ])
SubnetIds Ref('SubnetIds')
Tags tags + [{ Key: 'Name', Value: FnJoin('-', [ Ref(:EnvironmentName), component_name, 'subnet-group' ])}]
end
RDS_DBParameterGroup 'ParametersRDS' do
Description FnJoin(' ', [ Ref(:EnvironmentName), component_name, 'parameter group' ])
Family family
Parameters parameters if defined? parameters
Tags tags + [{ Key: 'Name', Value: FnJoin('-', [ Ref(:EnvironmentName), component_name, 'parameter-group' ])}]
end
if defined?(native_backup_restore) and native_backup_restore
IAM_Role('RDSOptionGroupRole') do
AssumeRolePolicyDocument ({
Statement: [
{
Effect: 'Allow',
Principal: { Service: [ 'rds.amazonaws.com' ] },
Action: [ 'sts:AssumeRole' ]
}
]
})
Path '/'
Policies ([
PolicyName: 'RDSOptionGroupRole',
PolicyDocument: {
Statement: [
{
Effect: 'Allow',
Action: [
's3:ListBucket',
's3:GetBucketLocation',
's3:GetObjectMetaData',
's3:GetObject',
's3:PutObject',
's3:ListMultipartUploadParts',
's3:AbortMultipartUpload'
],
Resource: [
FnJoin('', ['arn:aws:s3:::', Ref('DatabaseBucket')]),
FnJoin('', ['arn:aws:s3:::', Ref('DatabaseBucket'), '/*'])
]
}
]
}
])
end
RDS_OptionGroup 'OptionGroupRDS' do
DeletionPolicy 'Retain'
EngineName engine
MajorEngineVersion engine_version[0..4]
OptionGroupDescription 'MSSQL Native Backup & Restore'
OptionConfigurations [{
OptionName: 'SQLSERVER_BACKUP_RESTORE',
OptionSettings: [{
Name: 'IAM_ROLE_ARN',
Value: FnGetAtt('RDSOptionGroupRole','Arn')
}]
}]
Tags tags + [{ Key: 'Name', Value: FnJoin('-', [ Ref(:EnvironmentName), component_name, 'option-group' ])}]
end
end
instance_username = defined?(master_username) ? master_username : FnJoin('', [ '{{resolve:ssm:', FnSub(master_login['username_ssm_param']), ':1}}' ])
instance_password = defined?(master_password) ? master_password : FnJoin('', [ '{{resolve:ssm-secure:', FnSub(master_login['password_ssm_param']), ':1}}' ])
maintenance_window = external_parameters.fetch(:maintenance_window, nil)
backup_window = external_parameters.fetch(:backup_window, nil)
backup_retention_period = external_parameters.fetch(:backup_retention_period, nil)
allow_major_version_upgrade = external_parameters.fetch(:allow_major_version_upgrade, nil)
RDS_DBInstance 'RDS' do
AllowMajorVersionUpgrade allow_major_version_upgrade unless allow_major_version_upgrade.nil?
DeletionPolicy deletion_policy if defined? deletion_policy
DBInstanceClass Ref('RDSInstanceType')
AllocatedStorage Ref('RDSAllocatedStorage')
StorageType 'gp2'
Engine engine
EngineVersion engine_version
DBParameterGroupName Ref('ParametersRDS')
MasterUsername instance_username
MasterUserPassword instance_password
DBSnapshotIdentifier Ref('RDSSnapshotID')
DBSubnetGroupName Ref('SubnetGroupRDS')
VPCSecurityGroups [Ref('SecurityGroupRDS')]
MultiAZ Ref('MultiAZ')
PubliclyAccessible publicly_accessible if defined? publicly_accessible
OptionGroupName Ref('OptionGroupRDS') if defined? native_backup_restore
CharacterSetName character_set if defined? character_set
LicenseModel license_model if defined? license_model
PreferredBackupWindow backup_window unless backup_window.nil?
PreferredMaintenanceWindow maintenance_window unless maintenance_window.nil?
BackupRetentionPeriod backup_retention_period unless backup_retention_period.nil?
Tags tags + [
{ Key: 'Name', Value: FnJoin('-', [ Ref(:EnvironmentName), component_name, 'instance' ])},
{ Key: 'SnapshotID', Value: Ref('RDSSnapshotID')},
{ Key: 'Version', Value: family}
]
Metadata({
cfn_nag: {
rules_to_suppress: [
{ id: 'F23', reason: 'ignoring until further action is required' },
{ id: 'F24', reason: 'ignoring until further action is required' }
]
}
})
StorageEncrypted storage_encrypted if defined? storage_encrypted
KmsKeyId kms_key_id if (defined? kms_key_id) && (storage_encrypted == true)
end
record = defined?(dns_record) ? dns_record : 'mssql'
Route53_RecordSet('DatabaseIntHostRecord') do
HostedZoneName FnJoin('', [ Ref('EnvironmentName'), '.', Ref('DnsDomain'), '.'])
Name FnJoin('', [ record, '.', Ref('EnvironmentName'), '.', Ref('DnsDomain'), '.' ])
Type 'CNAME'
TTL 60
ResourceRecords [ FnGetAtt('RDS','Endpoint.Address') ]
end
end