irfan-aws-notes

RDS-Stackset

A setup for deploying and managing RDS instances across multiple AWS accounts and regions. It ensures consistent database configurations and centralized management, ideal for large-scale, multi-account environments.

ESSENTIAL

Basic Configuration

This configuration sets up a basic RDS instance with essential settings like engine type, instance size, private subnet placement, and security. It includes automated backups and maintenance options for secure, reliable database use in a VPC.

Required resources

  • Name
    DBSubnetGroup
    Description

    Defines a Subnet Group for the RDS instance, specifying private subnets for database placement. This configuration ensures that the RDS instance is deployed within private subnets.

  • Name
    RDS
    Description

    Configures an RDS instance for the application’s database, using MySQL as the engine and enabling Multi-AZ deployment for high availability. Features include automated minor version upgrades, deletion protection, and CloudWatch log exports for monitoring. The configuration also specifies preferred windows for backups and maintenance.

MasterUserPassword must be manually created first in the AWS Secrets Manager following this guide based on database engine chosen.

Subnet Group Configuration

SubnetGroup:
  Type: AWS::RDS::DBSubnetGroup
  Properties:
    DBSubnetGroupDescription: Subnet group for ApplicationDB instances
    SubnetIds:
      - !Ref PrivateSubnet1
      - !Ref PrivateSubnet2

RDS Configuration

RDS:
  Type: AWS::RDS::DBInstance
  Properties:
    AllowMajorVersionUpgrade: false
    AutoMinorVersionUpgrade: true
    AvailabilityZone: ap-southeast-5a
    DBInstanceClass: db.r6g.large
    DBName: ApplicationDB
    DBSubnetGroupName: !Ref SubnetGroup
    DeletionProtection: true # disable when still in testing mode
    Engine: mysql
    EngineVersion: 8.0.39
    MasterUsername: admin
    MasterUserPassword: !Sub "{{resolve:secretsmanager:app-rds}}" # manually provisioned
    MultiAZ: true
    PubliclyAccessible: false
    VPCSecurityGroups:
      - !Ref GlobalSG
    EnableCloudwatchLogsExports:
      - audit
      - error
      - general
      - slowquery
    PreferredBackupWindow: 17:00-18:00
    PreferredMaintenanceWindow: Sun:18:00-Sun:19:00
OPTIONAL

Read Replica

Defines a read replica instance for an RDS primary database, used to distribute read traffic and improve scalability. The configuration includes placement in a separate AZ and synchronization with the primary database to ensure data consistency.

Required resource

  • Name
    RDSReadReplica
    Description

    Sets up an RDS read replica for the primary RDS instance, allowing read-only queries to reduce the load on the main database. This read replica is deployed in a different AZ (ap-southeast-5b) for added resilience. It inherits the same engine (MySQL version 8.0.39), instance class, and security group as the primary database.

Read Replica Configuration

RDSReadReplica:
  Type: AWS::RDS::DBInstance
  Properties:
    SourceDBInstanceIdentifier: !Ref RDS
    DBInstanceClass: db.r6g.large
    AvailabilityZone: ap-southeast-5b
    Engine: mysql
    EngineVersion: 8.0.39
    PubliclyAccessible: false
    VPCSecurityGroups:
      - !Ref GlobalSG
    EnableCloudwatchLogsExports:
      - audit
      - error
      - general
      - slowquery
    PreferredBackupWindow: 17:00-18:00
    PreferredMaintenanceWindow: Sun:18:00-Sun:19:00
OPTIONAL

Aurora Cluster

Sets up an Aurora database cluster with MySQL compatibility, providing high availability and scalability through Multi-AZ deployments and automatic failover.

Required resources

  • Name
    AuroraCluster
    Description

    Configures an Amazon Aurora DB cluster using the MySQL-compatible Aurora engine, providing a highly available and fault-tolerant database solution.

  • Name
    AuroraWriter
    Description

    Defines a primary (writer) instance within the Aurora DB cluster, responsible for handling write operations. This instance is deployed in the specified AZ (ap-southeast-5a).

  • Name
    AuroraReader1
    Description

    Configures a read replica (reader) instance within the Aurora DB cluster in the same AZ as the writer (ap-southeast-5a). This instance offloads read traffic from the primary instance, enhancing scalability and availability for read-intensive applications.

  • Name
    AuroraReader2
    Description

    Sets up an additional read replica (reader) instance in a different AZ (ap-southeast-5b) within the Aurora DB cluster. This configuration further distributes read traffic and provides cross-AZ resilience, improving fault tolerance and read capacity.

Cluster Configuration

AuroraCluster:
  Type: AWS::RDS::DBCluster
  Properties:
    Engine: aurora-mysql
    MasterUsername: admin
    MasterUserPassword: !Sub "{{resolve:secretsmanager:app-rds}}" # manually provisioned
    DBSubnetGroupName: !Ref SubnetGroup
    VpcSecurityGroupIds:
      - !Ref GlobalSG
    BackupRetentionPeriod: 7
    StorageEncrypted: true

Writer-Reader Configuration

AuroraWriter:
  Type: AWS::RDS::DBInstance
  Properties:
    DBClusterIdentifier: !Ref AuroraCluster
    Engine: aurora-mysql
    DBInstanceClass: db.r6g.large
    AvailabilityZone: ap-southeast-5a

AuroraReader1:
  Type: AWS::RDS::DBInstance
  Properties:
    DBClusterIdentifier: !Ref AuroraCluster
    Engine: aurora-mysql
    DBInstanceClass: db.r6g.large
    AvailabilityZone: ap-southeast-5a

AuroraReader2:
  Type: AWS::RDS::DBInstance
  Properties:
    DBClusterIdentifier: !Ref AuroraCluster
    Engine: aurora-mysql
    DBInstanceClass: db.r6g.large
    AvailabilityZone: ap-southeast-5b
OPTIONAL

RDS Proxy

Configures an RDS Proxy for secure, efficient connection pooling and management of database connections to RDS or Aurora instances. The setup optimizes database performance and scalability.

Required resources

  • Name
    RDSProxyAccessRole
    Description

    Creates an IAM role with permissions for the RDS Proxy to access secrets stored in AWS Secrets Manager. This role allows the RDS Proxy to retrieve database credentials securely.

  • Name
    RDSProxy
    Description

    Configures an RDS Proxy to improve connection management for the Aurora database cluster, reducing latency and enhancing scalability.

  • Name
    RDSProxyTG
    Description

    Sets up a target group for the RDS Proxy, connecting it to the Aurora database cluster. This configuration allows the proxy to distribute database connections across the Aurora instances, optimizing resource use and improving performance for applications.

Proxy Permission Configuration

RDSProxyAccessRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Principal:
            Service: rds.amazonaws.com
          Action: sts:AssumeRole
    Policies:
      - PolicyName: RDSProxySecretsManagerAccess
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - secretsmanager:GetSecretValue
              Resource: arn:aws:secretsmanager:ap-southeast-5:<account-id>:secret:<secret-name>

RDS Proxy Configuration

RDSProxy:
  Type: AWS::RDS::DBProxy
  Properties:
    DBProxyName: AuroraRDSProxy
    EngineFamily: MYSQL
    Auth:
      - AuthScheme: SECRETS
        SecretArn: arn:aws:secretsmanager:ap-southeast-5:<account-id>:secret:<secret-name>
    RoleArn: !GetAtt RDSProxyAccessRole.Arn
    VpcSubnetIds:
      - !Ref PrivateSubnet1
      - !Ref PrivateSubnet2
    VpcSecurityGroupIds:
      - !Ref GlobalSG

RDSProxyTG:
  Type: AWS::RDS::DBProxyTargetGroup
  Properties:
    DBProxyName: !Ref RDSProxy
    TargetGroupName: default
    DBClusterIdentifiers:
      - !Ref AuroraCluster
OPTIONAL

ElastiCache

Configures an ElastiCache setup, using Redis as the caching engine. This configuration includes settings for cache node type, network security groups, subnet group for private placement, and maintenance windows.

Required resources

  • Name
    ECSubnetGroup
    Description

    Defines a subnet group for ElastiCache, specifying private subnets where the Redis cluster nodes will be placed.

  • Name
    ECCluster
    Description

    Sets up a single-node ElastiCache cluster using Redis with a cache.t3.medium node type.

  • Name
    ECReplicationGroup
    Description

    Configures a multi-node ElastiCache Redis replication group, providing high availability and automatic failover. The setup includes two node groups with one replica per group, enabling Multi-AZ deployment for improved resilience.

Replace ECCluster with ECReplicationGroup resource for HA and resilience setup. Both resources need the ECSubnetGroup.

ElastiCache Single Node Configuration

ECSubnetGroup:
  Type: AWS::ElastiCache::SubnetGroup
  Properties:
    Description: Subnet group for ElastiCache Redis cluster
    SubnetIds:
      - !Ref PrivateSubnet1
      - !Ref PrivateSubnet2

ECCluster:
  Type: AWS::ElastiCache::CacheCluster
  Properties:
    CacheNodeType: cache.t3.medium
    Engine: redis
    NumCacheNodes: 1
    VpcSecurityGroupIds:
      - !Ref GlobalSG
    CacheSubnetGroupName: !Ref ECSubnetGroup
    PreferredMaintenanceWindow: Sun:19:00-Sun:20:00

ElastiCache Multi Node Configuration

ECReplicationGroup:
  Type: AWS::ElastiCache::ReplicationGroup
  Properties:
    Engine: redis
    CacheNodeType: cache.m6g.large
    NumNodeGroups: 2
    ReplicasPerNodeGroup: 1
    AutomaticFailoverEnabled: true
    MultiAZEnabled: true
    VpcSecurityGroupIds:
      - !Ref GlobalSG
    CacheSubnetGroupName: !Ref ECSubnetGroup
    PreferredMaintenanceWindow: Sun:19:00-Sun:20:00