{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "This template creates a custom sql server RDS instance and other components if a customer has an existing VPC", "Parameters": { "Engine": { "Type": "String", "Default": "custom-sqlserver-se", "AllowedValues": [ "custom-sqlserver-ee", "custom-sqlserver-se", "custom-sqlserver-web" ], "Description": "Enter engine type custom-sqlserver-ee,custom-sqlserver-se,custom-sqlserver-web.Default is custom-sqlserver-se" }, "StorageType": { "Type": "String", "Default": "gp2", "AllowedValues": [ "gp2", "gp3", "io1" ], "Description": "Choose the type of storage, the only storage types supported are solid state drives (SSD) of types gp2, gp3 and io1." }, "AllocatedStorage": { "Type": "String", "Description": "Enter the allocated storage.The maximum storage limit is 16 TiB." }, "Iops": { "Type": "String", "Description": "If you specify io1 for the StorageType property, then you must also specify the Iops property" }, "EngineVersion": { "Type": "String", "ConstraintDescription": "You can provide the engine version or the name of your CEV. The name format for the CEV is 19.*customized_string* . For example, a valid CEV name is 19.my_cev1 ." }, "StorageThroughput": { "Type": "String", "Description": " Specifies the storage throughput value for the DB instance. This setting applies only to the gp3 storage type. " }, "MasterUsername": { "Type": "String", "Description": "The database admin account username", "MinLength": "1", "MaxLength": "10", "ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters." }, "DBInstanceClass": { "Type": "String", "Description": "The instance class type for the custom sql server instance" }, "MultiAZ": { "Type": "String", "Description": "Specify whether the database instance is a Multi-AZ DB instance deployment. Please enter either true or false", "Default": "false", "AllowedValues": [ "true", "false" ] }, "VPC": { "Type": "AWS::EC2::VPC::Id", "Description": "specify the VPC ID of an existing VPC." }, "PrivateSubnets": { "Type": "List", "Description": "Specify an IPv4 CIDR block (or IP address range) for your first private subnet. The CIDR block size must be within the ip range of VPC and a size between /16 and /28" }, "PrivateRouteTable": { "Type": "String", "Description": "Private Route Table" }, "VPCCidr": { "Type": "String", "Description": "Specify an IPv4 CIDR block (or IP address range) of your source. This is the IP range from where you make RDP connection to EC2 instance. If left blank, RDP connection to EC2 instance won't be configured", "Default": "" }, "EnableRDPAccessToPrivateVPC": { "Type": "String", "Description": "Specify whether to open RDP access to private subnets from within the VPC", "AllowedValues": [ "Yes", "No" ], "Default": "No" } }, "Conditions": { "NumberofIops": { "Fn::Equals": [ { "Ref": "StorageType" }, "io1" ] }, "Throughput": { "Fn::Equals": [ { "Ref": "StorageThroughput" }, "gp3" ] }, "NVirginiaRegionCondition": { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-1" ] }, "ConfigureSourceCondition": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "VPCCidr" }, "" ] } ] }, "CreatePrivateSubnetRDPRulesCondition": { "Fn::Equals": [ { "Ref": "EnableRDPAccessToPrivateVPC" }, "Yes" ] } }, "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Parameters for RDS Custom for SQL server" }, "Parameters": [ "Engine", "EngineVersion", "DBInstanceClass", "MultiAZ", "StorageType", "Iops", "AllocatedStorage", "StorageThroughput", "MasterUsername" ] } ] } }, "Resources": { "RDSCustomKMSKey": { "Type": "AWS::KMS::Key", "Properties": { "Description": "KMS Key to encrypt RDS Custom Instances", "Enabled": true, "EnableKeyRotation": true, "PendingWindowInDays": 30, "KeyPolicy": { "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" } }, "Action": "kms:*", "Resource": "*" } ] }, "KeySpec": "SYMMETRIC_DEFAULT", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false } }, "RDSCustomKMSKeyAlias": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": { "Fn::Sub": "alias/${AWS::StackName}-kms-key" }, "TargetKeyId": { "Ref": "RDSCustomKMSKey" } }, "DependsOn": "RDSCustomKMSKey" }, "RDSInstancePasswordSecret": { "Type": "AWS::SecretsManager::Secret", "Properties": { "KmsKeyId": { "Ref": "RDSCustomKMSKey" }, "GenerateSecretString": { "SecretStringTemplate": { "Fn::Join": [ "", [ "{\"username\": \"", { "Ref": "MasterUsername" }, "\"}" ] ] }, "GenerateStringKey": "password", "PasswordLength": 16, "ExcludeCharacters": "\"@/\\" } } }, "RDSCustomSQLServerInstanceServiceRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "AWSRDSCustom-${AWS::StackName}-${AWS::Region}" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ] }, "Path": "/", "Policies": [ { "PolicyName": "AWSRDSCustomEc2InstanceRolePolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "ssmAgent1", "Effect": "Allow", "Action": [ "ssm:GetDeployablePatchSnapshotForInstance", "ssm:ListAssociations", "ssm:PutInventory", "ssm:PutConfigurePackageResult", "ssm:UpdateInstanceInformation", "ssm:GetManifest" ], "Resource": "*" }, { "Sid": "ssmAgent2", "Effect": "Allow", "Action": [ "ssm:ListInstanceAssociations", "ssm:PutComplianceItems", "ssm:UpdateAssociationStatus", "ssm:DescribeAssociation", "ssm:UpdateInstanceAssociationStatus" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*" }, "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-sqlserver" } } }, { "Sid": "ssmAgent3", "Effect": "Allow", "Action": [ "ssm:UpdateAssociationStatus", "ssm:DescribeAssociation", "ssm:GetDocument", "ssm:DescribeDocument" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ssm:*:*:document/*" } }, { "Sid": "ssmAgent4", "Effect": "Allow", "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*" }, { "Sid": "ssmAgent5", "Effect": "Allow", "Action": [ "ec2messages:AcknowledgeMessage", "ec2messages:DeleteMessage", "ec2messages:FailMessage", "ec2messages:GetEndpoint", "ec2messages:GetMessages", "ec2messages:SendReply" ], "Resource": "*" }, { "Sid": "ssmAgent6", "Effect": "Allow", "Action": [ "ssm:GetParameters", "ssm:GetParameter" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ssm:*:*:parameter/*" } }, { "Sid": "ssmAgent7", "Effect": "Allow", "Action": [ "ssm:UpdateInstanceAssociationStatus", "ssm:DescribeAssociation" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ssm:*:*:association/*" } }, { "Sid": "eccSnapshot1", "Effect": "Allow", "Action": "ec2:CreateSnapshot", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*" } ], "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-sqlserver" } } }, { "Sid": "eccSnapshot2", "Effect": "Allow", "Action": "ec2:CreateSnapshot", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*" } ], "Condition": { "StringLike": { "aws:RequestTag/AWSRDSCustom": "custom-sqlserver" } } }, { "Sid": "eccCreateTag", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/AWSRDSCustom": "custom-sqlserver", "ec2:CreateAction": [ "CreateSnapshot" ] } } }, { "Sid": "s3BucketAccess", "Effect": "Allow", "Action": [ "s3:putObject", "s3:getObject", "s3:getObjectVersion", "s3:AbortMultipartUpload" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:s3:::do-not-delete-rds-custom-*/*" } ] }, { "Sid": "customerCMKEncryption", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": [ { "Fn::GetAtt": [ "RDSCustomKMSKey", "Arn" ] } ] }, { "Sid": "readSecretsFromCP", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:do-not-delete-rds-custom-*" } ], "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-sqlserver" } } }, { "Sid": "publishCWMetrics", "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "rdscustom/rds-custom-sqlserver-agent" } } }, { "Sid": "putEventsToEventBus", "Effect": "Allow", "Action": "events:PutEvents", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/default" } }, { "Sid": "cwlOperations1", "Effect": "Allow", "Action": [ "logs:PutRetentionPolicy", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:rds-custom-instance-*" } }, { "Sid": "cwlOperations2", "Effect": "Allow", "Action": "logs:DescribeLogGroups", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*" } }, { "Sid": "SendMessageToSQSQueue", "Effect": "Allow", "Action": [ "SQS:SendMessage", "SQS:ReceiveMessage", "SQS:DeleteMessage", "SQS:GetQueueUrl" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:do-not-delete-rds-custom-*" } ], "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-sqlserver" } } } ] } } ] }, "DependsOn": "RDSCustomKMSKey" }, "RDSCustomSQLServerInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "InstanceProfileName": { "Fn::Sub": "AWSRDSCustom-${AWS::StackName}-${AWS::Region}" }, "Path": "/", "Roles": [ { "Ref": "RDSCustomSQLServerInstanceServiceRole" } ] }, "DependsOn": "RDSCustomSQLServerInstanceServiceRole" }, "EC2InstanceSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": { "Fn::Sub": "${AWS::StackName}-ec2-instance-sg" }, "GroupDescription": "Security group attached to EC2 Instance", "VpcId": { "Ref": "VPC" } } }, "RDSCustomSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": { "Fn::Sub": "${AWS::StackName}-rds-custom-instance-sg" }, "GroupDescription": "Security group attached to RDS Custom DB Instance", "VpcId": { "Ref": "VPC" } } }, "VPCEndpointSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": { "Fn::Sub": "${AWS::StackName}-vpc-endpoint-sg" }, "GroupDescription": "Security group attached to VPC Endpoints", "VpcId": { "Ref": "VPC" } } }, "VPCEndpointSecurityGroupIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "VPCEndpointSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "CidrIp": { "Ref": "VPCCidr" } }, "DependsOn": [ "VPCEndpointSecurityGroup", "RDSCustomSecurityGroup" ] }, "VPCEndpointSecurityGroupEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "VPCEndpointSecurityGroup" }, "IpProtocol": -1, "CidrIp": "0.0.0.0/0" }, "DependsOn": [ "VPCEndpointSecurityGroup" ] }, "RDSCustomSecurityGroupVpceEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "CidrIp": { "Ref": "VPCCidr" }, "GroupId": { "Ref": "RDSCustomSecurityGroup" } }, "DependsOn": [ "RDSCustomSecurityGroup", "VPCEndpointSecurityGroup" ] }, "RDSCustomSecurityGroupS3Egress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "IpProtocol": -1, "CidrIp": "0.0.0.0/0", "GroupId": { "Ref": "RDSCustomSecurityGroup" } }, "DependsOn": "RDSCustomSecurityGroup" }, "RDSCustomSecurityGroupDbPortIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "RDSCustomSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 1433, "ToPort": 1433, "SourceSecurityGroupId": { "Fn::GetAtt": [ "EC2InstanceSecurityGroup", "GroupId" ] } }, "DependsOn": [ "EC2InstanceSecurityGroup", "RDSCustomSecurityGroup" ] }, "RDSCustomSecurityGroupRDPPortIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "GroupId": { "Ref": "RDSCustomSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "SourceSecurityGroupId": { "Fn::GetAtt": [ "EC2InstanceSecurityGroup", "GroupId" ] } }, "DependsOn": [ "EC2InstanceSecurityGroup", "RDSCustomSecurityGroup" ] }, "RDSCustomSecurityGroupMAZIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "RDSCustomSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 1120, "ToPort": 1120, "SourceSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] } }, "DependsOn": [ "RDSCustomSecurityGroup" ] }, "RDSCustomSecurityGroupMAZEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "RDSCustomSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 1120, "ToPort": 1120, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] } }, "DependsOn": [ "RDSCustomSecurityGroup" ] }, "EC2InstanceSecurityGroupRDSCustomEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "IpProtocol": "tcp", "FromPort": 1433, "ToPort": 1433, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] }, "GroupId": { "Ref": "EC2InstanceSecurityGroup" } }, "DependsOn": [ "EC2InstanceSecurityGroup", "RDSCustomSecurityGroup" ] }, "EC2InstanceSecurityGroupRDPPortEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] }, "GroupId": { "Ref": "EC2InstanceSecurityGroup" } }, "DependsOn": [ "EC2InstanceSecurityGroup", "RDSCustomSecurityGroup" ] }, "EC2InstanceSecurityGroupRDPIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Condition": "ConfigureSourceCondition", "Properties": { "GroupId": { "Ref": "EC2InstanceSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "CidrIp": { "Ref": "VPCCidr" } }, "DependsOn": [ "EC2InstanceSecurityGroup" ] }, "DBSubnetGroup": { "Type": "AWS::RDS::DBSubnetGroup", "Properties": { "DBSubnetGroupName": { "Fn::Sub": "${AWS::StackName}-db-subnet-group" }, "DBSubnetGroupDescription": "RDS Custom Private Network", "SubnetIds": { "Ref": "PrivateSubnets" } } }, "vpceS3": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "RouteTableIds": [ { "Ref": "PrivateRouteTable" } ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.s3" }, "VpcId": { "Ref": "VPC" } } }, "vpceEC2": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ { "Ref": "VPCEndpointSecurityGroup" } ], "SubnetIds": { "Ref": "PrivateSubnets" }, "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.ec2" }, "VpcId": { "Ref": "VPC" } } }, "vpceEC2Messages": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ { "Ref": "VPCEndpointSecurityGroup" } ], "SubnetIds": { "Ref": "PrivateSubnets" }, "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.ec2messages" }, "VpcId": { "Ref": "VPC" } } }, "vpceMonitoring": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ { "Ref": "VPCEndpointSecurityGroup" } ], "SubnetIds": { "Ref": "PrivateSubnets" }, "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.monitoring" }, "VpcId": { "Ref": "VPC" } } }, "vpceSSM": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ { "Ref": "VPCEndpointSecurityGroup" } ], "SubnetIds": { "Ref": "PrivateSubnets" }, "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.ssm" }, "VpcId": { "Ref": "VPC" } } }, "vpceSSMMessages": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ { "Ref": "VPCEndpointSecurityGroup" } ], "SubnetIds": { "Ref": "PrivateSubnets" }, "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.ssmmessages" }, "VpcId": { "Ref": "VPC" } } }, "vpceLogs": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ { "Ref": "VPCEndpointSecurityGroup" } ], "SubnetIds": { "Ref": "PrivateSubnets" }, "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.logs" }, "VpcId": { "Ref": "VPC" } } }, "vpceEvents": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ { "Ref": "VPCEndpointSecurityGroup" } ], "SubnetIds": { "Ref": "PrivateSubnets" }, "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.events" }, "VpcId": { "Ref": "VPC" } } }, "vpceSecretsManager": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ { "Ref": "VPCEndpointSecurityGroup" } ], "SubnetIds": { "Ref": "PrivateSubnets" }, "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.secretsmanager" }, "VpcId": { "Ref": "VPC" } } }, "vpceSQS": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ { "Ref": "VPCEndpointSecurityGroup" } ], "SubnetIds": { "Ref": "PrivateSubnets" }, "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.sqs" }, "VpcId": { "Ref": "VPC" } } }, "CustomSQLServer": { "Type": "AWS::RDS::DBInstance", "Properties": { "AllocatedStorage": { "Ref": "AllocatedStorage" }, "StorageType": { "Ref": "StorageType" }, "DBInstanceClass": { "Ref": "DBInstanceClass" }, "Engine": { "Ref": "Engine" }, "Iops": { "Fn::If": [ "NumberofIops", { "Ref": "Iops" }, { "Ref": "AWS::NoValue" } ] }, "StorageEncrypted": true, "MultiAZ": { "Ref": "MultiAZ" }, "StorageThroughput": { "Fn::If": [ "Throughput", { "Ref": "StorageThroughput" }, { "Ref": "AWS::NoValue" } ] }, "CustomIAMInstanceProfile": { "Ref": "RDSCustomSQLServerInstanceServiceRole" }, "KmsKeyId": { "Ref": "RDSCustomKMSKey" }, "EngineVersion": { "Ref": "EngineVersion" }, "MasterUsername": { "Ref": "MasterUsername" }, "MasterUserPassword": { "Fn::Join": [ "", [ "{{resolve:secretsmanager:", { "Ref": "RDSInstancePasswordSecret" }, ":SecretString:password}}" ] ] }, "PubliclyAccessible": false, "VPCSecurityGroups": [ { "Ref": "VPCEndpointSecurityGroup" } ], "DBSubnetGroupName": { "Ref": "DBSubnetGroup" }, "AllowMajorVersionUpgrade": false }, "DependsOn": [ "VPCEndpointSecurityGroup", "RDSCustomSQLServerInstanceServiceRole", "RDSCustomSQLServerInstanceProfile" ] } }, "Outputs": { "StackName": { "Description": "Stack Name", "Value": { "Fn::Sub": "${AWS::StackName}" } }, "RDSInstancePasswordSecret": { "Description": "Secrets Manager with RDS master login.", "Value": { "Ref": "RDSInstancePasswordSecret" } }, "DBInstanceIdentifier": { "Description": "The database instance identifier", "Value": { "Ref": "CustomSQLServer" }, "Export": { "Name": { "Fn::Sub": [ "${AWS::StackName}-${Engine}-identifier", { "engine": { "Ref": "Engine" } } ] } } } } }