Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS::RDS::DBInstance

The AWS::RDS::DBInstance type creates an Amazon Relational Database Service (Amazon RDS) DB instance. For detailed information about configuring RDS DB instances, see CreateDBInstance.

Important

If a DB instance is deleted or replaced during an update, AWS CloudFormation deletes all automated snapshots. However, it retains manual DB snapshots. During an update that requires replacement, you can apply a stack policy to prevent DB instances from being replaced. For more information, see Prevent Updates to Stack Resources.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

Copy
{ "Type" : "AWS::RDS::DBInstance", "Properties" : { "AllocatedStorage" : String, "AllowMajorVersionUpgrade" : Boolean, "AutoMinorVersionUpgrade" : Boolean, "AvailabilityZone" : String, "BackupRetentionPeriod" : String, "CharacterSetName" : String, "CopyTagsToSnapshot" : Boolean, "DBClusterIdentifier" : String, "DBInstanceClass" : String, "DBInstanceIdentifier" : String, "DBName" : String, "DBParameterGroupName" : String, "DBSecurityGroups" : [ String, ... ], "DBSnapshotIdentifier" : String, "DBSubnetGroupName" : String, "Domain" : String, "DomainIAMRoleName" : String, "Engine" : String, "EngineVersion" : String, "Iops" : Number, "KmsKeyId" : String, "LicenseModel" : String, "MasterUsername" : String, "MasterUserPassword" : String, "MonitoringInterval" : Integer, "MonitoringRoleArn" : String, "MultiAZ" : Boolean, "OptionGroupName" : String, "Port" : String, "PreferredBackupWindow" : String, "PreferredMaintenanceWindow" : String, "PubliclyAccessible" : Boolean, "SourceDBInstanceIdentifier" : String, "StorageEncrypted" : Boolean, "StorageType" : String, "Tags" : [ Resource Tag, ... ], "Timezone" : String, "VPCSecurityGroups" : [ String, ... ] } }

YAML

Copy
Type: "AWS::RDS::DBInstance" Properties: AllocatedStorage: String AllowMajorVersionUpgrade: Boolean AutoMinorVersionUpgrade: Boolean AvailabilityZone: String BackupRetentionPeriod: String CharacterSetName: String CopyTagsToSnapshot: Boolean DBClusterIdentifier: String DBInstanceClass: String DBInstanceIdentifier: String DBName: String DBParameterGroupName: String DBSecurityGroups: - String DBSnapshotIdentifier: String DBSubnetGroupName: String Domain: String DomainIAMRoleName: String Engine: String EngineVersion: String Iops: Number KmsKeyId: String LicenseModel: String MasterUsername: String MasterUserPassword: String MonitoringInterval: Integer MonitoringRoleArn: String MultiAZ: Boolean OptionGroupName: String Port: String PreferredBackupWindow: String PreferredMaintenanceWindow: String PubliclyAccessible: Boolean SourceDBInstanceIdentifier: String StorageEncrypted: Boolean StorageType: String Tags: Resource Tag Timezone: String VPCSecurityGroups: - String

Properties

AllocatedStorage

The allocated storage size, specified in gigabytes (GB).

If any value is set in the Iops parameter, AllocatedStorage must be at least 100 GB, which corresponds to the minimum Iops value of 1,000. If you increase the Iops value (in 1,000 IOPS increments), then you must also increase the AllocatedStorage value (in 100 GB increments).

Required: Conditional. This property is required unless you specify the DBClusterIdentifier property or when creating a read replica from AWS CloudFormation using the AWS::RDS::DBInstance resource. In these cases, do not specify this property.

Type: String

Update requires: No interruption

AllowMajorVersionUpgrade

If you update the EngineVersion property to a version that's different from the DB instance's current major version, set this property to true. For more information, see ModifyDBInstance in the Amazon Relational Database Service API Reference.

Required: No

Type: Boolean

Update requires: No interruption

AutoMinorVersionUpgrade

Indicates that minor engine upgrades are applied automatically to the DB instance during the maintenance window. The default value is true.

Required: No

Type: Boolean

Update requires: No interruption or some interruptions. For more information, see ModifyDBInstance in the Amazon Relational Database Service API Reference.

AvailabilityZone

The name of the Availability Zone where the DB instance is located. You cannot set the AvailabilityZone parameter if the MultiAZ parameter is set to true.

Required: No

Type: String

Update requires: Replacement

BackupRetentionPeriod

The number of days during which automatic DB snapshots are retained.

Important

If this DB instance is deleted or replaced during an update, AWS CloudFormation deletes all automated snapshots. However, it retains manual DB snapshots.

Required: No

Type: String

Update requires: No interruption or some interruptions. For more information, see ModifyDBInstance in the Amazon Relational Database Service API Reference.

CharacterSetName

For supported engines, specifies the character set to associate with the DB instance. For more information, see Appendix: Oracle Character Sets Supported in Amazon RDS in the Amazon Relational Database Service User Guide.

If you specify the DBSnapshotIdentifier or SourceDBInstanceIdentifier property, do not specify this property. The value is inherited from the snapshot or source DB instance.

Required: No

Type: String

Update requires: Replacement

CopyTagsToSnapshot

Indicates whether to copy all of the user-defined tags from the DB instance to snapshots of the DB instance. By default, Amazon RDS doesn't copy tags to snapshots. Amazon RDS doesn't copy tags with the aws:: prefix unless it's the DB instance's final snapshot (the snapshot when you delete the DB instance).

Required: No

Type: Boolean

Update requires: No interruption

DBClusterIdentifier

The name of an existing DB cluster that this instance will be associated with. If you specify this property, specify aurora for the Engine property and do not specify any of the following properties: AllocatedStorage, BackupRetentionPeriod, CharacterSetName, DBSecurityGroups, MasterUsername, MasterUserPassword, OptionGroupName, PreferredBackupWindow, PreferredMaintenanceWindow, Port, SourceDBInstanceIdentifier, StorageType, or VPCSecurityGroups.

Amazon RDS assigns the first DB instance in the cluster as the primary, and additional DB instances as replicas.

If you specify this property, the default deletion policy is Delete. Otherwise, the default deletion policy is Snapshot.

Required: No

Type: String

Update requires: Replacement

DBInstanceClass

The name of the compute and memory capacity classes of the DB instance.

Required: Yes

Type: String

Update requires: Some interruptions

DBInstanceIdentifier

A name for the DB instance. If you specify a name, AWS CloudFormation converts it to lower case. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the DB instance. For more information, see Name Type.

Important

If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.

Required: No

Type: String

Update requires: Replacement

DBName

The name of the DB instance that was provided at the time of creation, if one was specified. This same name is returned for the life of the DB instance.

Important

If you specify the DBSnapshotIdentifier property, AWS CloudFormation ignores this property.

If you restore DB instances from snapshots, this property doesn't apply to the MySQL, PostgreSQL, or MariaDB engines.

Required: No

Type: String

Update requires: Replacement

DBParameterGroupName

The name of an existing DB parameter group or a reference to an AWS::RDS::DBParameterGroup resource created in the template.

Required: No

Type: String

Update requires: No interruption or some interruptions. If any of the data members of the referenced parameter group are changed during an update, the DB instance might need to be restarted, causing some interruption. If the parameter group contains static parameters, whether they were changed or not, an update triggers a reboot.

DBSecurityGroups

A list of the DB security groups to assign to the DB instance. The list can include both the name of existing DB security groups or references to AWS::RDS::DBSecurityGroup resources created in the template.

If you set DBSecurityGroups, you must not set VPCSecurityGroups, and vice-versa. Also, note that the EC2VpcId property exists only for backwards compatibility with older regions and is no longer recommended for providing security information to an RDS DB instance. Instead, use VPCSecurityGroups.

Important

If you specify this property, AWS CloudFormation sends only the following properties (if specified) to Amazon RDS:

  • AllocatedStorage

  • AutoMinorVersionUpgrade

  • AvailabilityZone

  • BackupRetentionPeriod

  • CharacterSetName

  • DBInstanceClass

  • DBName

  • DBParameterGroupName

  • DBSecurityGroups

  • DBSubnetGroupName

  • Engine

  • EngineVersion

  • Iops

  • LicenseModel

  • MasterUsername

  • MasterUserPassword

  • MultiAZ

  • OptionGroupName

  • PreferredBackupWindow

  • PreferredMaintenanceWindow

All other properties are ignored. Specify a VPC security group if you want to submit other properties, such as StorageType, StorageEncrypted, or KmsKeyId. If you're already using the DBSecurityGroups property, you can't use these other properties by updating your DB instance to use a VPC security group. You must recreate the DB instance.

Required: No

Type: List of strings

Update requires: No interruption

DBSnapshotIdentifier

The name or ARN of the DB snapshot used to restore the DB instance. If you are restoring from a shared manual DB snapshot, you must specify the Amazon Resource Name (ARN) of the snapshot.

By specifying this property, you can create a DB instance from the specified DB snapshot. If the DBSnapshotIdentifier property is an empty string or the AWS::RDS::DBInstance declaration has no DBSnapshotIdentifier property, AWS CloudFormation creates a new database. If the property contains a value (other than an empty string), AWS CloudFormation creates a database from the specified snapshot. If a snapshot with the specified name does not exist, AWS CloudFormation can't create the database and it rolls the back the stack.

Some DB instance properties are not valid when you restore from a snapshot, such as the MasterUsername and MasterUserPassword properties. For information about the properties that you can specify, see the RestoreDBInstanceFromDBSnapshot action in the Amazon Relational Database Service API Reference.

Important

If you specify this property, AWS CloudFormation ignores the DBName property.

Required: No

Type: String

Update requires: Replacement

DBSubnetGroupName

A DB subnet group to associate with the DB instance. If you update this value, the new subnet group must be a subnet group in a new VPC.

If there is no DB subnet group, then the instance is not a VPC DB instance.

For more information about using Amazon RDS in a VPC, see Using Amazon RDS with Amazon Virtual Private Cloud (VPC) in the Amazon Relational Database Service Developer Guide.

Required: No

Type: String

Update requires: Replacement

Domain

For an Amazon RDS DB instance that is running Microsoft SQL Server, the Active Directory directory ID to create the instance in. Amazon RDS uses Windows Authentication to authenticate users that connect to the DB instance. For more information, see Using Windows Authentication with an Amazon RDS DB Instance Running Microsoft SQL Server in the Amazon Relational Database Service User Guide.

If you specify this property, you must specify a SQL Server engine for the Engine property.

Required: No

Type: String

Update requires: No interruption

DomainIAMRoleName

The name of an IAM role that Amazon RDS uses when calling the Directory Service APIs.

Required: No

Type: String

Update requires: No interruption

Engine

The database engine that the DB instance uses. This property is optional when you specify the DBSnapshotIdentifier property to create DB instances.

For valid values, see the Engine parameter of the CreateDBInstance action in the Amazon Relational Database Service API Reference.

Required: Conditional

Type: String

Update requires: Replacement

EngineVersion

The version number of the database engine that the DB instance uses.

Required: No

Type: String

Update requires: Some interruptions

Iops

The number of I/O operations per second (IOPS) that the database provisions. The value must be equal to or greater than 1000.

If you specify this property, you must follow the range of allowed ratios of your requested IOPS rate to the amount of storage that you allocate (IOPS to allocated storage). For example, you can provision an Oracle database instance with 1000 IOPS and 200 GB of storage (a ratio of 5:1) or specify 2000 IOPS with 200 GB of storage (a ratio of 10:1). For more information, see Amazon RDS Provisioned IOPS Storage to Improve Performance in the Amazon Relational Database Service User Guide.

Required: Conditional. If you specify io1 for the StorageType property, you must specify this property.

Type: Number

Update requires: No interruption

KmsKeyId

The ARN of the AWS Key Management Service (AWS KMS) master key that is used to encrypt the DB instance, such as arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef. If you enable the StorageEncrypted property but don't specify this property, AWS CloudFormation uses the default master key. If you specify this property, you must set the StorageEncrypted property to true.

If you specify the DBSnapshotIdentifier or SourceDBInstanceIdentifier property, do not specify this property. The value is inherited from the snapshot or source database instance.

Note

If you specify DBSecurityGroups, AWS CloudFormation ignores this property. To specify both a security group and this property, you must use a VPC security group. For more information about Amazon RDS and VPC, see Using Amazon RDS with Amazon VPC in the Amazon Relational Database Service User Guide.

Required: No

Type: String

Update requires: Replacement

LicenseModel

The license model of the DB instance.

Required: No

Type: String

Update requires: Replacement

MasterUsername

The master user name for the DB instance.

Note

If you specify the SourceDBInstanceIdentifier or DBSnapshotIdentifier property, do not specify this property. The value is inherited from the source DB instance or snapshot.

Required: Conditional

Type: String

Update requires: Replacement

MasterUserPassword

The master password for the DB instance.

Note

If you specify the SourceDBInstanceIdentifier or DBSnapshotIdentifier property, do not specify this property. The value is inherited from the source DB instance or snapshot.

Required: Conditional

Type: String

Update requires: No interruption

MonitoringInterval

The interval, in seconds, between points when Amazon RDS collects enhanced monitoring metrics for the DB instance. To disable metrics collection, specify 0.

For default and valid values, see the MonitoringInterval parameter for the CreateDBInstance action in the Amazon Relational Database Service API Reference.

Required: Conditional. If you specify the MonitoringRoleArn property, specify a value other than 0 for MonitoringInterval.

Type: Integer

Update requires: No interruption or some interruptions. For more information, see ModifyDBInstance in the Amazon Relational Database Service API Reference.

MonitoringRoleArn

The ARN of the AWS Identity and Access Management (IAM) role that permits Amazon RDS to send enhanced monitoring metrics to Amazon CloudWatch, for example, arn:aws:iam:123456789012:role/emaccess. For information on creating a monitoring role, see To create an IAM role for Amazon RDS Enhanced Monitoring in the Amazon Relational Database Service User Guide.

Required: Conditional. If you specify a value other than 0 for the MonitoringInterval property, specify a value for MonitoringRoleArn.

Type: String

Update requires: No interruption

MultiAZ

Specifies if the database instance is a multiple Availability Zone deployment. You cannot set the AvailabilityZone parameter if the MultiAZ parameter is set to true. Amazon Aurora storage is replicated across all the availability zones and doesn't require the MultiAZ option to be set.

Required: No

Type: Boolean

Update requires: No interruption

OptionGroupName

The option group that this DB instance is associated with.

Required: No

Type: String

Update requires: No interruption

Port

The port for the instance.

Required: No

Type: String

Update requires: Replacement

PreferredBackupWindow

The daily time range during which automated backups are performed if automated backups are enabled, as determined by the BackupRetentionPeriod property. For valid values, see the PreferredBackupWindow parameter for the CreateDBInstance action in the Amazon Relational Database Service API Reference.

Required: No

Type: String

Update requires: No interruption

PreferredMaintenanceWindow

The weekly time range (in UTC) during which system maintenance can occur. For valid values, see the PreferredMaintenanceWindow parameter for the CreateDBInstance action in the Amazon Relational Database Service API Reference.

Note

This property applies when AWS CloudFormation initially creates the DB instance. If you use AWS CloudFormation to update the DB instance, those updates are applied immediately.

Required: No

Type: String

Update requires: No interruption or some interruptions. For more information, see ModifyDBInstance in the Amazon Relational Database Service API Reference.

PubliclyAccessible

Indicates whether the DB instance is an Internet-facing instance. If you specify true, AWS CloudFormation creates an instance with a publicly resolvable DNS name, which resolves to a public IP address. If you specify false, AWS CloudFormation creates an internal instance with a DNS name that resolves to a private IP address.

The default behavior value depends on your VPC setup and the database subnet group. For more information, see the PubliclyAccessible parameter in CreateDBInstance in the Amazon Relational Database Service API Reference.

If this resource has a public IP address and is also in a VPC that is defined in the same template, you must use the DependsOn attribute to declare a dependency on the VPC-gateway attachment. For more information, see DependsOn Attribute.

Note

If you specify DBSecurityGroups, AWS CloudFormation ignores this property. To specify a security group and this property, you must use a VPC security group. For more information about Amazon RDS and VPC, see Using Amazon RDS with Amazon VPC in the Amazon Relational Database Service User Guide.

Required: No

Type: Boolean

Update requires: Replacement

SourceDBInstanceIdentifier

If you want to create a read replica DB instance, specify the ID of the source DB instance. Each DB instance can have a limited number of read replicas. For more information, see Working with Read Replicas in the Amazon Relational Database Service Developer Guide.

The SourceDBInstanceIdentifier property determines whether a DB instance is a read replica. If you remove the SourceDBInstanceIdentifier property from your template and then update your stack, AWS CloudFormation deletes the read replica and creates a new DB instance (not a read replica).

Important

  • If you specify a source DB instance that uses VPC security groups, we recommend that you specify the VPCSecurityGroups property. If you don't specify the property, the read replica inherits the value of the VPCSecurityGroups property from the source DB when you create the replica. However, if you update the stack, AWS CloudFormation reverts the replica's VPCSecurityGroups property to the default value because it's not defined in the stack's template. This change might cause unexpected issues.

  • Read replicas do not support deletion policies. AWS CloudFormation ignores any deletion policy that's associated with a read replica.

  • If you specify SourceDBInstanceIdentifier, do not set the MultiAZ property to true and do not specify the DBSnapshotIdentifier property. You cannot deploy read replicas in multiple Availability Zones, and you cannot create a read replica from a snapshot.

  • Do not set the BackupRetentionPeriod, DBName, MasterUsername, MasterUserPassword, and PreferredBackupWindow properties. The database attributes are inherited from the source DB instance, and backups are disabled for read replicas.

  • If the source DB instance is in a different region than the read replica, specify an ARN for a valid DB instance. For more information, see Constructing a Amazon RDS Amazon Resource Name (ARN) in the Amazon Relational Database Service User Guide.

  • For DB instances in Amazon Aurora clusters, do not specify this property. Amazon RDS automatically assigns writer and reader DB instances.

Required: No

Type: String

Update requires: Replacement

StorageEncrypted

Indicates whether the DB instance is encrypted.

If you specify the DBClusterIdentifier, DBSnapshotIdentifier, or SourceDBInstanceIdentifier property, do not specify this property. The value is inherited from the cluster, snapshot, or source DB instance.

Required: Conditional. If you specify the KmsKeyId property, you must enable encryption.

Type: Boolean

Update requires: Replacement

StorageType

The storage type associated with this DB instance.

For the default and valid values, see the StorageType parameter of the CreateDBInstance action in the Amazon Relational Database Service API Reference.

Required: No

Type: String

Update requires: Some interruptions

Tags

An arbitrary set of tags (key–value pairs) for this DB instance.

Required: No

Type: AWS CloudFormation Resource Tags

Update requires: No interruption

Timezone

The time zone of the DB instance, which you can specify to match the time zone of your applications. To see which engines supports time zones, see the Timezone parameter for the CreateDBInstance action in the Amazon Relational Database Service API Reference.

Required: No

Type: String

Update requires: Replacement

VPCSecurityGroups

A list of the VPC security group IDs to assign to the DB instance. The list can include both the physical IDs of existing VPC security groups and references to AWS::EC2::SecurityGroup resources created in the template.

If you set VPCSecurityGroups, you must not set DBSecurityGroups, and vice versa.

Important

You can migrate a DB instance in your stack from an RDS DB security group to a VPC security group, but keep the following in mind:

  • You cannot revert to using an RDS security group after you establish a VPC security group membership.

  • When you migrate your DB instance to VPC security groups, if your stack update rolls back because the DB instance update fails, or because an update fails in another AWS CloudFormation resource, the rollback will fail because it cannot revert to an RDS security group.

  • To use the properties that are available when you use a VPC security group, you must recreate the DB instance. If you don't, AWS CloudFormation submits only the property values that are listed in the DBSecurityGroups property.

To avoid this situation, migrate your DB instance to using VPC security groups only when that is the only change in your stack template.

Required: No

Type: List of strings

Update requires: No interruption

Updating and Deleting AWS::RDS::DBInstance Resources

Updating DB Instances

When properties labeled "Update requires: Replacement" are updated, AWS CloudFormation first creates a replacement DB instance, then changes references from other dependent resources to point to the replacement DB instance, and finally deletes the old DB instance.

Important

We highly recommend that you take a snapshot of the database before updating the stack. If you don't, you will lose the data when AWS CloudFormation replaces your DB instance. To preserve your data, perform the following procedure:

  1. Deactivate any applications that are using the DB instance so that there is no activity on the DB instance.

  2. Create a snapshot of the DB instance. For more information about creating DB snapshots, see Creating a DB snapshot.

  3. If you want to restore your instance using a DB snapshot, modify the updated template with your DB instance changes and add the DBSnapshotIdentifier property with the ID of the DB snapshot that you want to use.

  4. Update the stack.

For more information about updating other properties of this resource, see ModifyDBInstance. For more information about updating stacks, see AWS CloudFormation Stacks Updates.

Deleting DB Instances

You can set a deletion policy for your DB instance to control how AWS CloudFormation handles the instance when the stack is deleted. For Amazon RDS DB instances, you can choose to retain the instance, to delete the instance, or to create a snapshot of the instance. The default AWS CloudFormation behavior depends on the DBClusterIdentifier property:

  • For AWS::RDS::DBInstance resources that don't specify the DBClusterIdentifier property, AWS CloudFormation saves a snapshot of the DB instance.

  • For AWS::RDS::DBInstance resources that do specify the DBClusterIdentifier property, AWS CloudFormation deletes the DB instance.

For more information, see DeletionPolicy Attribute.

Return Values

Ref

When you provide the RDS DB instance's logical name to the Ref intrinsic function, Ref will return the DBInstanceIdentifier. For example: mystack-mydb-ea5ugmfvuaxg.

For more information about using the Ref function, see Ref.

Fn::GetAtt

Fn::GetAtt returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

  • Endpoint.Address

    The connection endpoint for the database. For example: mystack-mydb-1apw1j4phylrk.cg034hpkmmjt.us-east-2.rds.amazonaws.com.

  • Endpoint.Port

    The port number on which the database accepts connections. For example: 3306.

For more information about using Fn::GetAtt, see Fn::GetAtt.

Examples

DBInstance with a set MySQL version, Tags and DeletionPolicy

This example shows how to set the MySQL version that has a DeletionPolicy Attribute set. With the DeletionPolicy set to Snapshot, AWS CloudFormation will take a snapshot of this DB instance before deleting it during stack deletion. A tag that contains a friendly name for the database is also set.

JSON
Copy
"MyDB" : { "Type" : "AWS::RDS::DBInstance", "Properties" : { "DBName" : { "Ref" : "DBName" }, "AllocatedStorage" : { "Ref" : "DBAllocatedStorage" }, "DBInstanceClass" : { "Ref" : "DBInstanceClass" }, "Engine" : "MySQL", "EngineVersion" : "5.5", "MasterUsername" : { "Ref" : "DBUser" }, "MasterUserPassword" : { "Ref" : "DBPassword" }, "Tags" : [ { "Key" : "Name", "Value" : "My SQL Database" } ] }, "DeletionPolicy" : "Snapshot" }
YAML
Copy
MyDB: Type: "AWS::RDS::DBInstance" Properties: DBName: Ref: "DBName" AllocatedStorage: Ref: "DBAllocatedStorage" DBInstanceClass: Ref: "DBInstanceClass" Engine: "MySQL" EngineVersion: "5.5" MasterUsername: Ref: "DBUser" MasterUserPassword: Ref: "DBPassword" Tags: - Key: "Name" Value: "My SQL Database" DeletionPolicy: "Snapshot"

DBInstance with provisioned IOPS

This example sets a provisioned IOPS value in the Iops property. Note that the AllocatedStorage property is set according to the 10:1 ratio between IOPS and GiBs of storage.

JSON
Copy
"MyDB" : { "Type" : "AWS::RDS::DBInstance", "Properties" : { "AllocatedStorage" : "100", "DBInstanceClass" : "db.m1.small", "Engine" : "MySQL", "EngineVersion" : "5.5", "Iops" : "1000", "MasterUsername" : { "Ref" : "DBUser" }, "MasterUserPassword" : { "Ref" : "DBPassword" } } }
YAML
Copy
MyDB: Type: "AWS::RDS::DBInstance" Properties: AllocatedStorage: "100" DBInstanceClass: "db.m1.small" Engine: "MySQL" EngineVersion: "5.5" Iops: "1000" MasterUsername: Ref: "DBUser" MasterUserPassword: Ref: "DBPassword"