{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "VpcCidr": { "Type": "String", "Description": "Specify an IPv4 CIDR block (or IP address range) for your VPC. The CIDR block size must have a size between /16 and /28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.0.0/16" }, "PrivateSubnet1Cidr": { "Type": "String", "Description": "Specify an IPv4 CIDR block (or IP address range) for your first private subnet. The CIDR block size must be within the ip range of VPC and a size between /16 and /28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.128.0/20" }, "PrivateSubnet2Cidr": { "Type": "String", "Description": "Specify an IPv4 CIDR block (or IP address range) for your second private subnet. The CIDR block size must be within the ip range of VPC, not overlapping with first subnet and a size between /16 and /28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.144.0/20" }, "PublicSubnet1Cidr": { "Type": "String", "Description": "Specify an IPv4 CIDR block (or IP address range) for your public subnet. The CIDR block size must be within the ip range of VPC, not overlapping with both private subnets and a size between /16 and /28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.0.0/20" }, "SourceCidr": { "Type": "String", "Description": "Specify an IPv4 CIDR block (or IP address range) of your source. This is the IP range from where you make RDP connection to EC2 instance. If left blank, RDP connection to EC2 instance won't be configured", "AllowedPattern": "(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|1[0-9]|2[0-9]|3[0-2]))$||^$)", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/0-32", "Default": "" }, "EnableRDPAccessToPrivateVPC": { "Type": "String", "Description": "Specify whether to open RDP access to private subnets from within the VPC", "AllowedValues": [ "Yes", "No" ], "Default": "No" } }, "Metadata" : { "AWS::CloudFormation::Interface" : { "ParameterGroups" : [ { "Label" : { "default" : "Network Configuration for RDS Custom SQL Server" }, "Parameters" : [ "VpcCidr", "PrivateSubnet1Cidr", "PrivateSubnet2Cidr", "PublicSubnet1Cidr", "SourceCidr", "EnableRDPAccessToPrivateVPC" ] } ], "ParameterLabels" : { "VpcCidr" : { "default" : "IPv4 CIDR block for VPC" }, "PrivateSubnet1Cidr" : { "default" : "IPv4 CIDR block for 1 of 2 private subents" }, "PrivateSubnet2Cidr" : { "default" : "IPv4 CIDR block for 2 of 2 private subents" }, "PublicSubnet1Cidr" : { "default" : "IPv4 CIDR block for public subent" }, "SourceCidr" : { "default" : "IPv4 CIDR block of your source" }, "EnableRDPAccessToPrivateVPC" : { "default" : "Setup RDP access to RDS Custom SQL Server Instance (private subnets) ?" } } } }, "Mappings": { "S3VPCEndpointRegionalPrefixLists": { "ap-northeast-1": { "prefixlistid": "pl-61a54008", "prefixlistname": "com.amazonaws.ap-northeast-1.s3" }, "ap-northeast-2": { "prefixlistid": "pl-78a54011", "prefixlistname": "com.amazonaws.ap-northeast-2.s3" }, "ap-northeast-3": { "prefixlistid": "pl-a4a540cd", "prefixlistname": "com.amazonaws.ap-northeast-3.s3" }, "ap-south-1": { "prefixlistid": "pl-78a54011", "prefixlistname": "com.amazonaws.ap-south-1.s3" }, "ap-southeast-1": { "prefixlistid": "pl-6fa54006", "prefixlistname": "com.amazonaws.ap-southeast-1.s3" }, "ap-southeast-2": { "prefixlistid": "pl-6ca54005", "prefixlistname": "com.amazonaws.ap-southeast-2.s3" }, "ca-central-1": { "prefixlistid": "pl-7da54014", "prefixlistname": "com.amazonaws.ca-central-1.s3" }, "cn-north-1": { "prefixlistid": "pl-62a5400b", "prefixlistname": "com.amazonaws.cn-north-1.s3" }, "cn-northwest-1": { "prefixlistid": "pl-79a54010", "prefixlistname": "com.amazonaws.cn-northwest-1.s3" }, "eu-central-1": { "prefixlistid": "pl-6ea54007", "prefixlistname": "com.amazonaws.eu-central-1.s3" }, "eu-north-1": { "prefixlistid": "pl-c3aa4faa", "prefixlistname": "com.amazonaws.eu-north-1.s3" }, "eu-west-1": { "prefixlistid": "pl-6da54004", "prefixlistname": "com.amazonaws.eu-west-1.s3" }, "eu-west-2": { "prefixlistid": "pl-7ca54015", "prefixlistname": "com.amazonaws.eu-west-2.s3" }, "eu-west-3": { "prefixlistid": "pl-23ad484a", "prefixlistname": "com.amazonaws.eu-west-3.s3" }, "sa-east-1": { "prefixlistid": "pl-6aa54003", "prefixlistname": "com.amazonaws.sa-east-1.s3" }, "us-east-1": { "prefixlistid": "pl-63a5400a", "prefixlistname": "com.amazonaws.us-east-1.s3" }, "us-east-2": { "prefixlistid": "pl-7ba54012", "prefixlistname": "com.amazonaws.us-east-2.s3" }, "us-west-1": { "prefixlistid": "pl-6ba54002", "prefixlistname": "com.amazonaws.us-west-1.s3" }, "us-west-2": { "prefixlistid": "pl-68a54001", "prefixlistname": "com.amazonaws.us-west-2.s3" } } }, "Conditions": { "NVirginiaRegionCondition": { "Fn::Equals": [{ "Ref": "AWS::Region" }, "us-east-1" ] }, "ConfigureSourceCondition": { "Fn::Not": [{ "Fn::Equals": [ {"Ref": "SourceCidr"}, "" ] }] }, "CreatePrivateSubnetRDPRulesCondition": { "Fn::Equals": [{ "Ref": "EnableRDPAccessToPrivateVPC" }, "Yes" ] } }, "Resources": { "RDSCustomKMSKey": { "Type": "AWS::KMS::Key", "Properties": { "Description": "KMS Key to encrypt RDS Custom Instances", "Enabled": true, "EnableKeyRotation": true, "PendingWindowInDays": 30, "KeyPolicy": { "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" } }, "Action": "kms:*", "Resource": "*" } ] }, "KeySpec": "SYMMETRIC_DEFAULT", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false } }, "RDSCustomKMSKeyAlias": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": { "Fn::Sub": "alias/${AWS::StackName}-kms-key" }, "TargetKeyId": { "Ref": "RDSCustomKMSKey" } }, "DependsOn": "RDSCustomKMSKey" }, "RDSCustomSQLServerInstanceServiceRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "AWSRDSCustom-${AWS::StackName}-${AWS::Region}" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ] }, "Path": "/", "Policies": [ { "PolicyName": "AWSRDSCustomEc2InstanceRolePolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "ssmAgent1", "Effect": "Allow", "Action": [ "ssm:GetDeployablePatchSnapshotForInstance", "ssm:ListAssociations", "ssm:PutInventory", "ssm:PutConfigurePackageResult", "ssm:UpdateInstanceInformation", "ssm:GetManifest" ], "Resource": "*" }, { "Sid": "ssmAgent2", "Effect": "Allow", "Action": [ "ssm:ListInstanceAssociations", "ssm:PutComplianceItems", "ssm:UpdateAssociationStatus", "ssm:DescribeAssociation", "ssm:UpdateInstanceAssociationStatus" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*" }, "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-sqlserver" } } }, { "Sid": "ssmAgent3", "Effect": "Allow", "Action": [ "ssm:UpdateAssociationStatus", "ssm:DescribeAssociation", "ssm:GetDocument", "ssm:DescribeDocument" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ssm:*:*:document/*" } }, { "Sid": "ssmAgent4", "Effect": "Allow", "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*" }, { "Sid": "ssmAgent5", "Effect": "Allow", "Action": [ "ec2messages:AcknowledgeMessage", "ec2messages:DeleteMessage", "ec2messages:FailMessage", "ec2messages:GetEndpoint", "ec2messages:GetMessages", "ec2messages:SendReply" ], "Resource": "*" }, { "Sid": "ssmAgent6", "Effect": "Allow", "Action": [ "ssm:GetParameters", "ssm:GetParameter" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ssm:*:*:parameter/*" } }, { "Sid": "ssmAgent7", "Effect": "Allow", "Action": [ "ssm:UpdateInstanceAssociationStatus", "ssm:DescribeAssociation" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ssm:*:*:association/*" } }, { "Sid": "eccSnapshot1", "Effect": "Allow", "Action": "ec2:CreateSnapshot", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*" } ], "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-sqlserver" } } }, { "Sid": "eccSnapshot2", "Effect": "Allow", "Action": "ec2:CreateSnapshot", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*" } ], "Condition": { "StringLike": { "aws:RequestTag/AWSRDSCustom": "custom-sqlserver" } } }, { "Sid": "eccCreateTag", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/AWSRDSCustom": "custom-sqlserver", "ec2:CreateAction": [ "CreateSnapshot" ] } } }, { "Sid": "s3BucketAccess", "Effect": "Allow", "Action": [ "s3:putObject", "s3:getObject", "s3:getObjectVersion", "s3:AbortMultipartUpload" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:s3:::do-not-delete-rds-custom-*/*" } ] }, { "Sid": "customerCMKEncryption", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": [ { "Fn::GetAtt": [ "RDSCustomKMSKey", "Arn" ] } ] }, { "Sid": "readSecretsFromCP", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:do-not-delete-rds-custom-*" } ], "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-sqlserver" } } }, { "Sid": "publishCWMetrics", "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "rdscustom/rds-custom-sqlserver-agent" } } }, { "Sid": "putEventsToEventBus", "Effect": "Allow", "Action": "events:PutEvents", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/default" } }, { "Sid": "cwlOperations1", "Effect": "Allow", "Action": [ "logs:PutRetentionPolicy", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:rds-custom-instance-*" } }, { "Sid": "cwlOperations2", "Effect": "Allow", "Action": "logs:DescribeLogGroups", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*" } }, { "Sid": "SendMessageToSQSQueue", "Effect": "Allow", "Action": [ "SQS:SendMessage", "SQS:ReceiveMessage", "SQS:DeleteMessage", "SQS:GetQueueUrl" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:do-not-delete-rds-custom-*" } ], "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-sqlserver" } } } ] } } ] }, "DependsOn": "RDSCustomKMSKey" }, "RDSCustomSQLServerInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "InstanceProfileName": { "Fn::Sub": "AWSRDSCustom-${AWS::StackName}-${AWS::Region}" }, "Path": "/", "Roles": [ { "Ref": "RDSCustomSQLServerInstanceServiceRole" } ] }, "DependsOn": "RDSCustomSQLServerInstanceServiceRole" }, "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": { "Ref": "VpcCidr" }, "InstanceTenancy": "default", "EnableDnsSupport": "true", "EnableDnsHostnames": "true", "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-vpc" } } ] } }, "DHCPOptions": { "Type": "AWS::EC2::DHCPOptions", "Properties": { "DomainName": { "Fn::If": [ "NVirginiaRegionCondition", "ec2.internal", { "Fn::Join": [ "", [{ "Ref": "AWS::Region" }, ".compute.internal" ] ] } ] }, "DomainNameServers": [ "AmazonProvidedDNS" ], "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-dhcp" } } ] } }, "VPCDHCPOptionsAssociation": { "Type": "AWS::EC2::VPCDHCPOptionsAssociation", "Properties": { "VpcId": { "Ref": "VPC" }, "DhcpOptionsId": { "Ref": "DHCPOptions" } }, "DependsOn": "DHCPOptions" }, "PrivateSubnet1": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "PrivateSubnet1Cidr" }, "AvailabilityZone": { "Fn::Select" : [ "0", { "Fn::GetAZs" : { "Ref" : "AWS::Region" } } ] }, "MapPublicIpOnLaunch" : false, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-private-subnet-1" } } ] }, "DependsOn": "VPC" }, "PrivateSubnet2": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "PrivateSubnet2Cidr" }, "AvailabilityZone": { "Fn::Select" : [ "1", { "Fn::GetAZs" : { "Ref" : "AWS::Region" } } ] }, "MapPublicIpOnLaunch" : false, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-private-subent-2" } } ] }, "DependsOn": "VPC" }, "PublicSubnet1": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "PublicSubnet1Cidr" }, "AvailabilityZone": { "Fn::Select" : [ "0", { "Fn::GetAZs" : { "Ref" : "AWS::Region" } } ] }, "MapPublicIpOnLaunch" : false, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-public-subnet-1" } } ] }, "DependsOn": "VPC" }, "InternetGateway" : { "Type" : "AWS::EC2::InternetGateway", "Properties" : { "Tags" : [{ "Key" : "Name", "Value" : { "Fn::Sub": "${AWS::StackName}-igw" } }] } }, "InternetGatewayVPCAttachment" : { "Type" : "AWS::EC2::VPCGatewayAttachment", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "InternetGatewayId" : { "Ref" : "InternetGateway" } }, "DependsOn": [ "VPC", "InternetGateway"] }, "PrivateRouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-private-route-table" } } ] }, "DependsOn": "VPC" }, "PublicRouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-public-route-table" } } ] }, "DependsOn": "VPC" }, "PrivateRouteTableSubent1Association": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "PrivateSubnet1" }, "RouteTableId": { "Ref": "PrivateRouteTable" } }, "DependsOn": [ "PrivateSubnet1", "PrivateRouteTable"] }, "PrivateRouteTableSubent2Association": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "PrivateSubnet2" }, "RouteTableId": { "Ref": "PrivateRouteTable" } }, "DependsOn": [ "PrivateSubnet2", "PrivateRouteTable"] }, "PublicRouteTableSubent1Association": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "PublicSubnet1" }, "RouteTableId": { "Ref": "PublicRouteTable" } }, "DependsOn": [ "PublicSubnet1", "PublicRouteTable"] }, "InternetGatewayRoute" : { "Type" : "AWS::EC2::Route", "Properties" : { "RouteTableId" : { "Ref" : "PublicRouteTable" }, "DestinationCidrBlock" : "0.0.0.0/0", "GatewayId" : { "Ref" : "InternetGateway" } }, "DependsOn" : [ "InternetGateway", "PublicRouteTable" ] }, "PrivateNetworkACL": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-private-network-acl" } } ] }, "DependsOn": "VPC" }, "PublicNetworkACL": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-public-network-acl" } } ] }, "DependsOn": "VPC" }, "PrivateNetworkACLHttpsInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 10, "Protocol": 6, "RuleAction": "allow", "CidrBlock": "0.0.0.0/0", "PortRange": { "From": 32768, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLHttpsOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 10, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": "0.0.0.0/0", "PortRange": { "From": 443, "To": 443 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLDenyAllInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 100, "Protocol": -1, "RuleAction": "deny", "CidrBlock": "0.0.0.0/0" }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLDenyAllOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 100, "Protocol": -1, "Egress": true, "RuleAction": "deny", "CidrBlock": "0.0.0.0/0" }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLDbPortInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 15, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "PublicSubnet1Cidr" }, "PortRange": { "From": 1433, "To": 1433 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLDbPortOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 15, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "PublicSubnet1Cidr" }, "PortRange": { "From": 32768, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLRDPInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 17, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "PublicSubnet1Cidr" }, "PortRange": { "From": 3389, "To": 3389 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLRDPOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 17, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "PublicSubnet1Cidr" }, "PortRange": { "From": 1024, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLMAZInboundRule1": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 18, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "PrivateSubnet1Cidr" }, "PortRange": { "From": 0, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLMAZInboundRule2": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 19, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "PrivateSubnet2Cidr" }, "PortRange": { "From": 0, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLMAZOutboundRule1": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 18, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "PrivateSubnet1Cidr" }, "PortRange": { "From": 0, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLMAZOutboundRule2": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 19, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "PrivateSubnet2Cidr" }, "PortRange": { "From": 0, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PublicNetworkACLDbPortInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 10, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "VpcCidr" }, "PortRange": { "From": 32768, "To": 65535 } }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLRDPInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "ConfigureSourceCondition", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 15, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "SourceCidr" }, "PortRange": { "From": 3389, "To": 3389 } }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLRDPInboundRule2": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 17, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "VpcCidr" }, "PortRange": { "From": 1024, "To": 65535 } }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLDbPortOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 10, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "VpcCidr" }, "PortRange": { "From": 1433, "To": 1433 } }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLRDPOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "ConfigureSourceCondition", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 15, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "SourceCidr" }, "PortRange": { "From": 1024, "To": 65535 } }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLRDPOutboundRule2": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 17, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "VpcCidr" }, "PortRange": { "From": 3389, "To": 3389 } }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLDenyAllInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 20, "Protocol": -1, "RuleAction": "deny", "CidrBlock": "0.0.0.0/0" }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLDenyAllOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 20, "Protocol": -1, "Egress": true, "RuleAction": "deny", "CidrBlock": "0.0.0.0/0" }, "DependsOn": "PublicNetworkACL" }, "PrivateNetworkAclSubent1Association" : { "Type" : "AWS::EC2::SubnetNetworkAclAssociation", "Properties" : { "SubnetId" : { "Ref" : "PrivateSubnet1" }, "NetworkAclId" : { "Ref" : "PrivateNetworkACL" } }, "DependsOn": [ "PrivateSubnet1", "PrivateNetworkACL"] }, "PrivateNetworkAclSubent2Association" : { "Type" : "AWS::EC2::SubnetNetworkAclAssociation", "Properties" : { "SubnetId" : { "Ref" : "PrivateSubnet2" }, "NetworkAclId" : { "Ref" : "PrivateNetworkACL" } }, "DependsOn": [ "PrivateSubnet2", "PrivateNetworkACL"] }, "PublicNetworkAclSubent1Association" : { "Type" : "AWS::EC2::SubnetNetworkAclAssociation", "Properties" : { "SubnetId" : { "Ref" : "PublicSubnet1" }, "NetworkAclId" : { "Ref" : "PublicNetworkACL" } }, "DependsOn": [ "PublicSubnet1", "PublicNetworkACL"] }, "EC2InstanceSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupName": { "Fn::Sub": "${AWS::StackName}-ec2-instance-sg" }, "GroupDescription" : "Security group attached to EC2 Instance", "VpcId" : {"Ref" : "VPC"} }, "DependsOn": "VPC" }, "RDSCustomSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupName": { "Fn::Sub": "${AWS::StackName}-rds-custom-instance-sg" }, "GroupDescription" : "Security group attached to RDS Custom DB Instance", "VpcId" : {"Ref" : "VPC"} }, "DependsOn": "VPC" }, "VPCEndpointSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupName": { "Fn::Sub": "${AWS::StackName}-vpc-endpoint-sg" }, "GroupDescription" : "Security group attached to VPC Endpoints", "VpcId" : {"Ref" : "VPC"} }, "DependsOn": "VPC" }, "VPCEndpointSecurityGroupIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "VPCEndpointSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "SourceSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] } }, "DependsOn": ["VPCEndpointSecurityGroup", "RDSCustomSecurityGroup" ] }, "VPCEndpointSecurityGroupEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "VPCEndpointSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "CidrIp": { "Ref": "VpcCidr" } }, "DependsOn": ["VPCEndpointSecurityGroup"] }, "RDSCustomSecurityGroupVpceEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties":{ "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "VPCEndpointSecurityGroup", "GroupId" ] }, "GroupId": { "Ref": "RDSCustomSecurityGroup" } }, "DependsOn": [ "RDSCustomSecurityGroup", "VPCEndpointSecurityGroup" ] }, "RDSCustomSecurityGroupS3Egress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties":{ "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "DestinationPrefixListId": { "Fn::FindInMap": [ "S3VPCEndpointRegionalPrefixLists", { "Ref": "AWS::Region" }, "prefixlistid" ] }, "GroupId": { "Ref": "RDSCustomSecurityGroup" } }, "DependsOn": "RDSCustomSecurityGroup" }, "RDSCustomSecurityGroupDbPortIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "RDSCustomSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 1433, "ToPort": 1433, "SourceSecurityGroupId": { "Fn::GetAtt": [ "EC2InstanceSecurityGroup", "GroupId" ] } }, "DependsOn": ["EC2InstanceSecurityGroup", "RDSCustomSecurityGroup" ] }, "RDSCustomSecurityGroupRDPPortIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "GroupId": { "Ref": "RDSCustomSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "SourceSecurityGroupId": { "Fn::GetAtt": [ "EC2InstanceSecurityGroup", "GroupId" ] } }, "DependsOn": ["EC2InstanceSecurityGroup", "RDSCustomSecurityGroup" ] }, "RDSCustomSecurityGroupMAZIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "RDSCustomSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 1120, "ToPort": 1120, "SourceSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] } }, "DependsOn": ["RDSCustomSecurityGroup" ] }, "RDSCustomSecurityGroupMAZEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "RDSCustomSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 1120, "ToPort": 1120, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] } }, "DependsOn": ["RDSCustomSecurityGroup" ] }, "EC2InstanceSecurityGroupRDSCustomEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties":{ "IpProtocol": "tcp", "FromPort": 1433, "ToPort": 1433, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] }, "GroupId": { "Ref": "EC2InstanceSecurityGroup" } }, "DependsOn": [ "EC2InstanceSecurityGroup", "RDSCustomSecurityGroup" ] }, "EC2InstanceSecurityGroupRDPPortEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties":{ "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] }, "GroupId": { "Ref": "EC2InstanceSecurityGroup" } }, "DependsOn": [ "EC2InstanceSecurityGroup", "RDSCustomSecurityGroup" ] }, "EC2InstanceSecurityGroupRDPIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Condition": "ConfigureSourceCondition", "Properties": { "GroupId": { "Ref": "EC2InstanceSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "CidrIp": { "Ref": "SourceCidr" } }, "DependsOn": ["EC2InstanceSecurityGroup"] }, "DBSubnetGroup": { "Type": "AWS::RDS::DBSubnetGroup", "Properties": { "DBSubnetGroupName": { "Fn::Sub": "${AWS::StackName}-db-subnet-group" }, "DBSubnetGroupDescription": "RDS Custom Private Network", "SubnetIds": [ {"Ref": "PrivateSubnet1"}, {"Ref": "PrivateSubnet2"} ] }, "DependsOn": [ "PrivateSubnet1", "PrivateSubnet2" ] }, "vpceS3": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "RouteTableIds": [ { "Ref": "PrivateRouteTable" } ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.s3" }, "VpcId": { "Ref": "VPC" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:putObject", "s3:getObject", "s3:getObjectVersion", "s3:AbortMultipartUpload" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:s3:::do-not-delete-rds-custom-*/*" } ], "Principal": "*", "Condition": { "ArnEquals": { "aws:PrincipalArn": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } } } }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:s3:::aws-windows-downloads-${AWS::Region}/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::amazon-ssm-${AWS::Region}/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::${AWS::Region}-birdwatcher-prod/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::aws-ssm-distributor-file-${AWS::Region}/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::aws-ssm-document-attachments-${AWS::Region}/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::aws-ssm-${AWS::Region}/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::amazoncloudwatch-agent-${AWS::Region}/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::aws-rds-custom-sqlserver-${AWS::Region}/*" } ], "Principal": "*" } ] } }, "DependsOn": [ "PrivateRouteTable", "RDSCustomSQLServerInstanceServiceRole" ] }, "vpceEC2": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ {"Ref": "VPCEndpointSecurityGroup"} ], "SubnetIds": [ {"Ref": "PrivateSubnet1"}, {"Ref": "PrivateSubnet2"} ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.ec2" }, "VpcId": { "Ref": "VPC" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "ec2:CreateSnapshot", "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:volume/*" } ], "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } }, "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-sqlserver" } } }, { "Action": "ec2:CreateSnapshot", "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}::snapshot/*" } ], "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } }, "Condition": { "StringLike": { "aws:RequestTag/AWSRDSCustom": "custom-sqlserver" } } }, { "Action": "ec2:CreateTags", "Effect": "Allow", "Resource": "*", "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } }, "Condition": { "StringLike": { "aws:RequestTag/AWSRDSCustom": "custom-sqlserver", "ec2:CreateAction": [ "CreateSnapshot" ] } } } ] } }, "DependsOn": [ "PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup", "RDSCustomSQLServerInstanceServiceRole" ] }, "vpceEC2Messages": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ {"Ref": "VPCEndpointSecurityGroup"} ], "SubnetIds": [ {"Ref": "PrivateSubnet1"}, {"Ref": "PrivateSubnet2"} ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.ec2messages" }, "VpcId": { "Ref": "VPC" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2messages:AcknowledgeMessage", "ec2messages:DeleteMessage", "ec2messages:FailMessage", "ec2messages:GetEndpoint", "ec2messages:GetMessages", "ec2messages:SendReply" ], "Effect": "Allow", "Resource": "*", "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } } } ] } }, "DependsOn": [ "PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup", "RDSCustomSQLServerInstanceServiceRole" ] }, "vpceMonitoring": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ {"Ref": "VPCEndpointSecurityGroup"} ], "SubnetIds": [ {"Ref": "PrivateSubnet1"}, {"Ref": "PrivateSubnet2"} ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.monitoring" }, "VpcId": { "Ref": "VPC" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "cloudwatch:PutMetricData", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "rdscustom/rds-custom-sqlserver-agent" } }, "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } } } ] } }, "DependsOn": [ "PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup", "RDSCustomSQLServerInstanceServiceRole" ] }, "vpceSSM": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ {"Ref": "VPCEndpointSecurityGroup"} ], "SubnetIds": [ {"Ref": "PrivateSubnet1"}, {"Ref": "PrivateSubnet2"} ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.ssm" }, "VpcId": { "Ref": "VPC" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "ssm:GetDeployablePatchSnapshotForInstance", "ssm:ListAssociations", "ssm:PutInventory", "ssm:PutConfigurePackageResult", "ssm:UpdateInstanceInformation", "ssm:GetManifest" ], "Effect": "Allow", "Resource": "*", "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } } }, { "Action": [ "ssm:ListInstanceAssociations", "ssm:PutComplianceItems", "ssm:UpdateAssociationStatus", "ssm:DescribeAssociation", "ssm:UpdateInstanceAssociationStatus" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*" }, "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } }, "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-sqlserver" } } }, { "Action": [ "ssm:UpdateAssociationStatus", "ssm:DescribeAssociation", "ssm:GetDocument", "ssm:DescribeDocument" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ssm:*:*:document/*" }, "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } } }, { "Action": [ "ssm:GetParameters", "ssm:GetParameter" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ssm:*:*:parameter/*" }, "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } } }, { "Action": [ "ssm:UpdateInstanceAssociationStatus", "ssm:DescribeAssociation" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ssm:*:*:association/*" }, "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } } } ] } }, "DependsOn": [ "PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup", "RDSCustomSQLServerInstanceServiceRole" ] }, "vpceSSMMessages": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ {"Ref": "VPCEndpointSecurityGroup"} ], "SubnetIds": [ {"Ref": "PrivateSubnet1"}, {"Ref": "PrivateSubnet2"} ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.ssmmessages" }, "VpcId": { "Ref": "VPC" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Effect": "Allow", "Resource": "*", "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } } } ] } }, "DependsOn": [ "PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup", "RDSCustomSQLServerInstanceServiceRole" ] }, "vpceLogs": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ {"Ref": "VPCEndpointSecurityGroup"} ], "SubnetIds": [ {"Ref": "PrivateSubnet1"}, {"Ref": "PrivateSubnet2"} ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.logs" }, "VpcId": { "Ref": "VPC" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:PutRetentionPolicy", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:rds-custom-instance-*" }, "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } } }, { "Action": "logs:DescribeLogGroups", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*" }, "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } } } ] } }, "DependsOn": [ "PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup", "RDSCustomSQLServerInstanceServiceRole" ] }, "vpceEvents": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ {"Ref": "VPCEndpointSecurityGroup"} ], "SubnetIds": [ {"Ref": "PrivateSubnet1"}, {"Ref": "PrivateSubnet2"} ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.events" }, "VpcId": { "Ref": "VPC" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/default" }, "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } } } ] } }, "DependsOn": [ "PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup", "RDSCustomSQLServerInstanceServiceRole" ] }, "vpceSecretsManager": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ {"Ref": "VPCEndpointSecurityGroup"} ], "SubnetIds": [ {"Ref": "PrivateSubnet1"}, {"Ref": "PrivateSubnet2"} ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.secretsmanager" }, "VpcId": { "Ref": "VPC" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:do-not-delete-rds-custom-*" }, "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } }, "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-sqlserver" } } } ] } }, "DependsOn": [ "PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup", "RDSCustomSQLServerInstanceServiceRole" ] }, "vpceSQS": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [ {"Ref": "VPCEndpointSecurityGroup"} ], "SubnetIds": [ {"Ref": "PrivateSubnet1"}, {"Ref": "PrivateSubnet2"} ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.sqs" }, "VpcId": { "Ref": "VPC" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "SQS:SendMessage", "SQS:ReceiveMessage", "SQS:DeleteMessage", "SQS:GetQueueUrl" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:do-not-delete-rds-custom-*" }, "Principal": { "AWS": { "Fn::GetAtt": [ "RDSCustomSQLServerInstanceServiceRole", "Arn" ] } }, "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-sqlserver" } } } ] } }, "DependsOn": [ "PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup", "RDSCustomSQLServerInstanceServiceRole" ] } }, "Outputs": { "RDSCustomDBSubnetGroup" : { "Description" : "DB Subnet group i.e specified while creating a RDS Custom Instances by using the parameter --db-subnet-group-name.", "Value" : {"Ref": "DBSubnetGroup"}, "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-SubnetID" }} }, "VPC" : { "Description" : "VPC for which DB Subnet Group is created.", "Value" : { "Fn::Sub": [ "${VPCId} [Name: ${VPCName}]", { "VPCId": { "Ref": "VPC" }, "VPCName": { "Fn::Sub": "${AWS::StackName}-vpc" } } ] }, "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-VPCID" }} }, "EC2InstancePublicSubnet" : { "Description" : "Public subnet for creating Ec2 instance to connect with RDS Custom instance.", "Value" : { "Fn::Sub": [ "${SubnetId} [Name: ${SubnetName}]", { "SubnetId": { "Ref": "PublicSubnet1" }, "SubnetName": { "Fn::Sub": "${AWS::StackName}-public-subnet-1" } } ] } }, "RDSCustomSecurityGroup" : { "Description" : "Security Group i.e to be attached to the RDS Custom Instances while creating a RDS Custom Instances by using the parameter --vpc-security-group-ids.", "Value" : { "Fn::GetAtt" : ["RDSCustomSecurityGroup", "GroupId"] }, "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-RDSCustomSecurityGroup" }} }, "EC2InstanceSecurityGroup" : { "Description" : "Security group that we are going to attach to the EC2 instance , used to connect with RDS Custom instance.", "Value" : { "Fn::Sub": [ "${SGId} [Name: ${SGName}]", { "SGId": { "Ref": "EC2InstanceSecurityGroup" }, "SGName": { "Fn::Sub": "${AWS::StackName}-ec2-instance-sg" } } ] } }, "RDSCustomIAMInstanceProfile" : { "Description" : "Instance IAM profile i.e specified while creating a RDS Custom Instances by using the parameter --custom-iam-instance-profile.", "Value" : {"Ref": "RDSCustomSQLServerInstanceProfile"}, "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-RDSCustomIAMInstanceProfile" }} }, "RDSCustomKMSKey" : { "Description" : "KMS key to encrypt data managed by RDS Custom Instances i.e specified while creating a RDS Custom Instances by using the parameter --kms-key-id.", "Value" : {"Fn::GetAtt": [ "RDSCustomKMSKey", "Arn" ]}, "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-RDSCustomKMSKey" }} } } }