Skip to content
This repository has been archived by the owner on Dec 20, 2023. It is now read-only.

Commit

Permalink
Merge pull request #247 from smoketurner/jp-improve-example
Browse files Browse the repository at this point in the history 
Improve example to launch RDS in the VPC
  • Loading branch information
@jplock
jplock authored May 9, 2020
2 parents ce5859d + ade28d5 commit 237cb11
Show file tree
Hide file tree
Showing 4 changed files with 69 additions and 46 deletions.
8 changes: 4 additions & 4 deletions example/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,11 @@
"test": "sls invoke -f rds"
},
"devDependencies": {
"aws-sdk": "2.656.0",
"serverless": "1.67.3",
"aws-sdk": "2.673.0",
"serverless": "1.70.0",
"serverless-vpc-plugin": "smoketurner/serverless-vpc-plugin#master",
"serverless-webpack": "5.3.1",
"webpack": "4.42.1",
"serverless-webpack": "5.3.2",
"webpack": "4.43.0",
"webpack-node-externals": "1.7.2"
}
}
24 changes: 12 additions & 12 deletions example/resources/iam_cf.yml
View file
Original file line number Diff line number Diff line change
@@ -1,29 +1,29 @@
---
Resources:
ExampleLambdaRole:
Type: "AWS::IAM::Role"
Type: 'AWS::IAM::Role'
Properties:
RoleName: "${self:service}-${self:provider.stage}-${self:provider.region}-ExampleLambdaRole"
RoleName: '${self:service}-${self:provider.stage}-${self:provider.region}-ExampleLambdaRole'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: "lambda.amazonaws.com"
Action: "sts:AssumeRole"
Service: 'lambda.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: ExampleLambdaPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action: "secretsmanager:GetSecretValue"
Action: 'secretsmanager:GetSecretValue'
Resource: !Ref DBSecret
- Effect: Allow
Action:
- "rds-data:BatchExecuteStatement"
- "rds-data:BeginTransaction"
- "rds-data:CommitTransaction"
- "rds-data:ExecuteStatement"
- "rds-data:RollbackTransaction"
Resource: "*"
- 'rds-data:BatchExecuteStatement'
- 'rds-data:BeginTransaction'
- 'rds-data:CommitTransaction'
- 'rds-data:ExecuteStatement'
- 'rds-data:RollbackTransaction'
Resource: '*'
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
77 changes: 51 additions & 26 deletions example/resources/rds_cf.yml
View file
Original file line number Diff line number Diff line change
@@ -1,48 +1,73 @@
---
Resources:
DBClusterParameterGroup:
Type: 'AWS::RDS::DBClusterParameterGroup'
Properties:
Description: 'Aurora PostgreSQL 10 Parameter Group'
Family: aurora-postgresql10
Parameters:
rds.force_ssl: 1

DBSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: 'RDS Database Access'
SecurityGroupIngress:
- Description: 'Allow inbound PostgreSQL access from Lambda'
FromPort: 5432
IpProtocol: tcp
SourceSecurityGroupId: !GetAtt LambdaExecutionSecurityGroup.GroupId
ToPort: 5432
VpcId: !Ref VPC

DBCluster:
Type: 'AWS::RDS::DBCluster'
DeletionPolicy: Snapshot
Properties:
DatabaseName: ${self:custom.databaseName}
DBClusterIdentifier: '${self:service}-${self:provider.stage}'
DBSubnetGroupName:
Ref: RDSSubnetGroup
DBClusterParameterGroupName: !Ref DBClusterParameterGroup
DBSubnetGroupName: !Ref RDSSubnetGroup
EnableHttpEndpoint: true
Engine: aurora-postgresql
EngineMode: serverless
EngineVersion: '11.4'
EngineVersion: '10.7' # Data API only supports PostgreSQL 10.7 https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html#data-api.regions
MasterUsername:
'Fn::Join':
- ''
- - '{{resolve:secretsmanager:'
- Ref: DBSecret
- ':SecretString:username}}'
!Join ['', ['{{resolve:secretsmanager:', !Ref DBSecret, ':SecretString:username}}']]
MasterUserPassword:
'Fn::Join':
- ''
- - '{{resolve:secretsmanager:'
- Ref: DBSecret
- ':SecretString:password}}'
!Join ['', ['{{resolve:secretsmanager:', !Ref DBSecret, ':SecretString:password}}']]
ScalingConfiguration:
AutoPause: true
MaxCapacity: 2
MinCapacity: 2
SecondsUntilAutoPause: 300 # 5 minutes
StorageEncrypted: true
Tags:
- Key: Name
Value:
'Fn::Join':
- '-'
- - Ref: 'AWS::StackName'
- rds
Value: !Join ['-', [!Ref 'AWS::StackName', rds]]
UseLatestRestorableTime: true
VpcSecurityGroupIds:
- !Ref DBSecurityGroup

DBVpcEndpoint:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
PrivateDnsEnabled: true
ServiceName: !Join ['.', ['com.amazonaws', !Ref 'AWS::Region', 'rds-data']]
SecurityGroupIds:
- !Ref LambdaEndpointSecurityGroup
SubnetIds:
- !Ref AppSubnet1
- !Ref AppSubnet2
- !Ref AppSubnet3
VpcEndpointType: Interface
VpcId: !Ref VPC

Outputs:
DBClusterAddress:
Description: RDS Cluster Address
Value:
'Fn::GetAtt':
- DBCluster
- 'Endpoint.Address'
Value: !GetAtt DBCluster.Endpoint.Address

DBClusterPort:
Description: RDS Cluster Port
Value:
'Fn::GetAtt':
- DBCluster
- 'Endpoint.Port'
Value: !GetAtt DBCluster.Endpoint.Port
6 changes: 2 additions & 4 deletions example/resources/secretsmanager_cf.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,6 @@ Resources:
DBClusterSecretTargetAttachment:
Type: 'AWS::SecretsManager::SecretTargetAttachment'
Properties:
SecretId:
Ref: DBSecret
TargetId:
Ref: DBCluster
SecretId: !Ref DBSecret
TargetId: !Ref DBCluster
TargetType: 'AWS::RDS::DBCluster'

0 comments on commit 237cb11

Please sign in to comment.