-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.yaml
269 lines (238 loc) · 6.43 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
flyless let's you evolve database schema in serverless stack
Parameters:
DBName:
Type: String
DBStage:
Type: String
DeployTimestamp:
Type: Number
Default: 0
Globals:
Function:
Timeout: 30
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
IG:
Type: AWS::EC2::InternetGateway
IGAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref IG
PrivateDBSubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.1.0/24
AvailabilityZone: !Select
- 0
- !GetAZs
Ref: 'AWS::Region'
PrivateDBSubnetB:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.2.0/24
AvailabilityZone: !Select
- 1
- !GetAZs
Ref: 'AWS::Region'
PrivateFnSubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.10.0/24
AvailabilityZone: !Select
- 0
- !GetAZs
Ref: 'AWS::Region'
PrivateFnSubnetB:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.11.0/24
AvailabilityZone: !Select
- 1
- !GetAZs
Ref: 'AWS::Region'
PrivateRT:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
PrivateRTAssociation1:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateDBSubnetA
RouteTableId: !Ref PrivateRT
PrivateRTAssociation2:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateDBSubnetB
RouteTableId: !Ref PrivateRT
PrivateRTAssociation3:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateFnSubnetA
RouteTableId: !Ref PrivateRT
PrivateRTAssociation4:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateFnSubnetB
RouteTableId: !Ref PrivateRT
NG:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt EIP.AllocationId
SubnetId: !Ref PublicSubnetA
DependsOn: VPC
EIP:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
DependsOn: IGAttachment
PrivateRTRouteToNG:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRT
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NG
PublicSubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.20.0/24
AvailabilityZone: !Select
- 0
- !GetAZs
Ref: 'AWS::Region'
PublicSubnetB:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.21.0/24
AvailabilityZone: !Select
- 1
- !GetAZs
Ref: 'AWS::Region'
PublicRT:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
PublicRTAssociation1:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnetA
RouteTableId: !Ref PublicRT
PublicRTAssociation2:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnetB
RouteTableId: !Ref PublicRT
PublicRTRouteToInternet:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PublicRT
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref IG
DB:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: 5
DBInstanceClass: db.t3.small
DBName: !Ref DBName
Engine: mysql
EngineVersion: 5.7.31
MasterUsername: !Join ['', ['{{resolve:secretsmanager:', !Ref DBSecret, ':SecretString:username}}' ]]
MasterUserPassword: !Join ['', ['{{resolve:secretsmanager:', !Ref DBSecret, ':SecretString:password}}' ]]
MultiAZ: False
PubliclyAccessible: False
StorageType: gp2
DBSubnetGroupName: !Ref DBPrivateSubnetGroup
VPCSecurityGroups:
- !GetAtt DBSecurityGroup.GroupId
DeletionPolicy: Delete
DBPrivateSubnetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: DB subnet group
SubnetIds:
- !Ref PrivateDBSubnetA
- !Ref PrivateDBSubnetB
DBSecret:
Type: AWS::SecretsManager::Secret
Properties:
Description: !Sub 'This is the secret for database from ${AWS::StackName} stack'
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
SecretRDSInstanceAttachment:
Type: AWS::SecretsManager::SecretTargetAttachment
Properties:
SecretId: !Ref DBSecret
TargetId: !Ref DB
TargetType: AWS::RDS::DBInstance
DBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow access to MySQL from Lambda SG
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3306
ToPort: 3306
SourceSecurityGroupId : !Ref FnSecurityGroup
FnSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for Lambda function
VpcId: !Ref VPC
MigrationFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: MigrationFunction
Handler: io.github.ajurasz.flyless.MigrationHandler::handleRequest
Runtime: java11
MemorySize: 512
Policies:
- AWSLambdaVPCAccessExecutionRole
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:*
Resource: !Ref DBSecret
VpcConfig:
SecurityGroupIds:
- !Ref FnSecurityGroup
SubnetIds:
- !Ref PrivateFnSubnetA
- !Ref PrivateFnSubnetB
Environment:
Variables:
RDS_SECRET: !Ref DBSecret
RDS_DB_NAME: !Ref DBName
DB_STAGE: !Ref DBStage
DependsOn:
- DB
- PublicRTAssociation1
- PublicRTAssociation2
- PublicRTRouteToInternet
- PrivateRTAssociation3
- PrivateRTAssociation4
- PrivateRTRouteToNG
- IGAttachment
LambdaMigrationFunctionTrigger:
Type: Custom::LambdaMigrationFunctionTrigger
Properties:
ServiceToken: !GetAtt MigrationFunction.Arn
DeployTimestamp: !Ref DeployTimestamp