From 8f577cd827f1e15fbde2e873786da27e881160b6 Mon Sep 17 00:00:00 2001 From: Eric Beard Date: Thu, 30 May 2024 17:19:58 -0700 Subject: [PATCH] Generating JSON --- Config/Config.json | 2 +- RDS/RDS_MySQL_With_Read_Replica.json | 21 ++++++++++++++++++++- RDS/RDS_PIOPS.json | 15 ++++++++++++++- RDS/RDS_with_DBParameterGroup.json | 5 ++--- 4 files changed, 37 insertions(+), 6 deletions(-) diff --git a/Config/Config.json b/Config/Config.json index 3b931c7d..0e96ae6c 100644 --- a/Config/Config.json +++ b/Config/Config.json @@ -245,7 +245,7 @@ "ZipFile": "var aws = require('aws-sdk');\nvar config = new aws.ConfigService();\nvar ec2 = new aws.EC2();\nexports.handler = function(event, context) {\n var compliance = evaluateCompliance(event, function(compliance, event) {\n var configurationItem = JSON.parse(event.invokingEvent).configurationItem;\n var putEvaluationsRequest = {\n Evaluations: [{\n ComplianceResourceType: configurationItem.resourceType,\n ComplianceResourceId: configurationItem.resourceId,\n ComplianceType: compliance,\n OrderingTimestamp: configurationItem.configurationItemCaptureTime\n }],\n ResultToken: event.resultToken\n };\n config.putEvaluations(putEvaluationsRequest, function(err, data) {\n if (err) context.fail(err);\n else context.succeed(data);\n });\n });\n};\nfunction evaluateCompliance(event, doReturn) {\n var configurationItem = JSON.parse(event.invokingEvent).configurationItem;\n var status = configurationItem.configurationItemStatus;\n if (configurationItem.resourceType !== 'AWS::EC2::Volume' || event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered'))\n doReturn('NOT_APPLICABLE', event);\n else ec2.describeVolumeAttribute({VolumeId: configurationItem.resourceId, Attribute: 'autoEnableIO'}, function(err, data) {\n if (err) context.fail(err);\n else if (data.AutoEnableIO.Value) doReturn('COMPLIANT', event);\n else doReturn('NON_COMPLIANT', event);\n });\n}\n" }, "Handler": "index.handler", - "Runtime": "nodejs16.x", + "Runtime": "nodejs20.x", "Timeout": "30", "Role": { "Fn::GetAtt": [ diff --git a/RDS/RDS_MySQL_With_Read_Replica.json b/RDS/RDS_MySQL_With_Read_Replica.json index c4924621..4d96825e 100644 --- a/RDS/RDS_MySQL_With_Read_Replica.json +++ b/RDS/RDS_MySQL_With_Read_Replica.json @@ -113,10 +113,21 @@ }, "Condition": "IsEC2VPC" }, + "DBCredential": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "GenerateSecretString": { + "PasswordLength": 16, + "ExcludeCharacters": "\"@/\\", + "RequireEachIncludedType": true + } + } + }, "MainDB": { "DeletionPolicy": "Snapshot", "UpdateReplacePolicy": "Snapshot", "Type": "AWS::RDS::DBInstance", + "DependsOn": "DBCredential", "Properties": { "DBName": { "Ref": "DBName" @@ -132,7 +143,9 @@ "MasterUsername": { "Ref": "DBUser" }, - "MasterUserPassword": "{{resolve:secretsmanager:my-db-password}}", + "MasterUserPassword": { + "Fn::Sub": "{{resolve:secretsmanager:${DBCredential}}}" + }, "MultiAZ": { "Ref": "MultiAZ" }, @@ -194,6 +207,12 @@ } }, "Outputs": { + "DBCredentialSecretNameArn": { + "Description": "Name of the secret containing the database credential", + "Value": { + "Ref": "DBCredential" + } + }, "EC2Platform": { "Description": "Platform in which this stack is deployed", "Value": { diff --git a/RDS/RDS_PIOPS.json b/RDS/RDS_PIOPS.json index 5d9119e7..481e3b8a 100644 --- a/RDS/RDS_PIOPS.json +++ b/RDS/RDS_PIOPS.json @@ -16,8 +16,19 @@ } }, "Resources": { + "DBCredential": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "GenerateSecretString": { + "PasswordLength": 16, + "ExcludeCharacters": "\"@/\\", + "RequireEachIncludedType": true + } + } + }, "myDB": { "Type": "AWS::RDS::DBInstance", + "DependsOn": "DBCredential", "Properties": { "AllocatedStorage": "100", "DBInstanceClass": "db.t3.small", @@ -27,7 +38,9 @@ "MasterUsername": { "Ref": "DBUser" }, - "MasterUserPassword": "{{resolve:secretsmanager:my-db-password}}", + "MasterUserPassword": { + "Fn::Sub": "{{resolve:secretsmanager:${DBCredential}}}" + }, "PubliclyAccessible": false, "StorageEncrypted": true } diff --git a/RDS/RDS_with_DBParameterGroup.json b/RDS/RDS_with_DBParameterGroup.json index a99cad4e..77430a9c 100644 --- a/RDS/RDS_with_DBParameterGroup.json +++ b/RDS/RDS_with_DBParameterGroup.json @@ -60,12 +60,11 @@ "MyRDSParamGroup": { "Type": "AWS::RDS::DBParameterGroup", "Properties": { - "Family": "MySQL5.6", + "Family": "MySQL8.0", "Description": "CloudFormation Sample Database Parameter Group", "Parameters": { "autocommit": "1", - "general_log": "1", - "old_passwords": "0" + "general_log": "1" } } }