rg_document_db.yml

Description:  "AWS CloudFormation Sample Template DocumentDB_Quick_Create: Sample template showing how to create a DocumentDB DB cluster and DB instance. **WARNING** This template creates an Amazon DocumentDB resources and you will be billed for the AWS resources used if you create a stack from this template."
Transform: AWS::SecretsManager-2020-07-23
Parameters: 
  DBClusterName: 
    Default: "MyCluster1"
    Description : "Cluster name"
    Type: "String"
    MinLength: "1"
    MaxLength: "64"
    AllowedPattern : "[a-zA-Z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*"
    ConstraintDescription : "Must begin with a letter and contain only alphanumeric characters."

  DBInstanceName: 
    Default: "MyInstance1"
    Description : "Instance name"
    Type: "String"
    MinLength: "1"
    MaxLength: "64"
    AllowedPattern : "[a-zA-Z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*"
    ConstraintDescription : "Must begin with a letter and contain only alphanumeric characters."
  
  AccessFromCidr:
    Description: Lockdown SSH and HTTPS access (default can be accessed from anywhere)
    Type: String
    Default: 0.0.0.0/0
    MinLength: "9"
    MaxLength: "18"
    AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
    ConstraintDescription: must be a valid CIDR range of the form x.x.x.x/x.
  VPC:
    Description: The VPC in which the EC2 instance will reside
    Type: AWS::EC2::VPC::Id
  Subnet1:
    Description: The VPC subnet in which the EC2 instance
    Type: AWS::EC2::Subnet::Id
  Subnet2:
    Description: The VPC subnet in which the EC2 instance
    Type: AWS::EC2::Subnet::Id
  Subnet3:
    Description: The VPC subnet in which the EC2 instance
    Type: AWS::EC2::Subnet::Id  
  SecurityGroupName:
    Description: Lockdown SSH and HTTPS access (default can be accessed from anywhere)
    Type: String
  VpceSecurityGroupName:
    Description: Lockdown SSH and HTTPS access 
    Type: String  
  DocDBSubnetGroupName:
    Description: Subnet Group Name
    Type: String
  DocDBSecretName:
    Description: Secret Name
    Type: String  
  DBInstanceClass:
    Description : "Instance class. Please refer to: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-instance-classes.html#db-instance-classes-by-region"
    Type: "String"
    AllowedValues:
      - db.t3.medium
      - db.r5.large
      - db.r5.xlarge
      - db.r5.2xlarge
      - db.r5.4xlarge
      - db.r5.12xlarge
      - db.r5.24xlarge                             
    ConstraintDescription : "Instance type must be of the ones supported for the region. Please refer to: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-instance-classes.html#db-instance-classes-by-region"  

Resources:
  DocumentDBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties: 
      GroupDescription: Amazon DocumentDB Security Group
      GroupName: !Ref SecurityGroupName 
      VpcId: !Ref VPC 
      SecurityGroupIngress:
         - IpProtocol: tcp
           CidrIp: !Ref AccessFromCidr
           FromPort: 27017
           ToPort: 27017
      SecurityGroupEgress:  # Adding egress rule
        - IpProtocol: "-1"  # Allow all protocols
          CidrIp: 0.0.0.0/0  # Allow all outbound traffic to all destinations 
      Tags:
        - Key: Name
          Value: !Ref SecurityGroupName
  VpcendpointSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties: 
      GroupDescription: vpc endpoint Security Group
      GroupName: !Ref VpceSecurityGroupName
      VpcId: !Ref VPC 
      SecurityGroupIngress:
         - IpProtocol: tcp
           FromPort: "0"
           ToPort: "65535"
           CidrIp : "0.0.0.0/0"
      SecurityGroupEgress:  # Adding egress rule
        - IpProtocol: "-1"  # Allow all protocols
          CidrIp: 0.0.0.0/0  # Allow all outbound traffic to all destinations 
      Tags:
        - Key: Name
          Value: !Ref VpceSecurityGroupName        
  SecretsManagerVPCEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties: 
      SubnetIds:
      - Ref: Subnet1
      - Ref: Subnet2
      SecurityGroupIds:
        - !GetAtt VpcendpointSecurityGroup.GroupId
      VpcEndpointType: Interface
      ServiceName:
        Fn::Sub: com.amazonaws.${AWS::Region}.secretsmanager
      PrivateDnsEnabled: true
      VpcId:
        Ref: VPC
  DocDBClusterRotationSecret:
    Type: 'AWS::SecretsManager::Secret'
    Properties:
      Name: !Ref DocDBSecretName 
      Description: secrets for Documentdb
      GenerateSecretString:
        SecretStringTemplate: '{"username": "rguser"}'
        GenerateStringKey: "password"
        PasswordLength: 16
        ExcludeCharacters: '"@/\'
      Tags:
        - Key: Name
          Value: /rl/cc/app/server/config/test    
  DocumentDBSubnetGroup:
    Type: AWS::DocDB::DBSubnetGroup
    Properties: 
      DBSubnetGroupDescription: Subnet Group for DocumentDB
      DBSubnetGroupName: !Ref DocDBSubnetGroupName
      SubnetIds: 
         - !Ref Subnet1
         - !Ref Subnet2
         - !Ref Subnet3
      Tags:
        - Key: Name
          Value: !Ref DocDBSubnetGroupName
  DBCluster:
    Type: "AWS::DocDB::DBCluster"
    DeletionPolicy: Delete
    Properties:
      DBClusterIdentifier: !Ref DBClusterName
      MasterUsername: rguser   
      MasterUserPassword: 
        Fn::Sub: "{{resolve:secretsmanager:${DocDBClusterRotationSecret}::password}}"
      EngineVersion: 4.0.0
      DBSubnetGroupName : !Ref DocumentDBSubnetGroup
      VpcSecurityGroupIds: 
        - !GetAtt DocumentDBSecurityGroup.GroupId
      StorageEncrypted : true  
  DBInstance:
    Type: "AWS::DocDB::DBInstance"
    Properties:
      DBClusterIdentifier: !Ref DBCluster
      DBInstanceIdentifier: !Ref DBInstanceName
      DBInstanceClass: !Ref DBInstanceClass
    DependsOn: DBCluster
  SecretDocDBClusterAttachment:
    Type: AWS::SecretsManager::SecretTargetAttachment
    Properties:
      SecretId:
        Ref: DocDBClusterRotationSecret
      TargetId:
        Ref: DBCluster
      TargetType: AWS::DocDB::DBCluster
  SecretRotationSchedule:
    Type: AWS::SecretsManager::RotationSchedule
    DependsOn: SecretDocDBClusterAttachment
    Properties:
      SecretId:
        Ref: DocDBClusterRotationSecret
      HostedRotationLambda:
        RotationType: MongoDBSingleUser
        RotationLambdaName: MongoDBSingleUser
        VpcSecurityGroupIds:
          Ref: DocumentDBSecurityGroup 
        VpcSubnetIds:
          Fn::Join:
          - ","
          - - Ref: Subnet1
            - Ref: Subnet2 
      RotationRules:
        Duration: 6h
        ScheduleExpression: 'rate(30 days)'     

Outputs:
  ClusterId:
    Value: !Ref DBCluster
  ClusterEndpoint:
    Value: !GetAtt DBCluster.Endpoint
  InstanceEndpoint:
    Value: !GetAtt DBInstance.Endpoint
  ClusterPort:
    Value: !GetAtt DBCluster.Port
  EngineVersion:
    Value: "4.0.0"