# Amazon RDS 模板代码段
**Topics**
+ [Amazon RDS 数据库实例资源](#scenario-rds-instance)
+ [Amazon RDS Oracle Database 数据库实例资源](#scenario-rds-oracleinstance)
+ [适用于 CIDR 范围的 Amazon RDS DBSecurityGroup 资源](#scenario-rds-security-group-cidr)
+ [带 Amazon EC2 安全组的 Amazon RDS DBSecurityGroup](#scenario-rds-security-group-ec2)
+ [多 VPC 安全组](#scenario-multiple-vpc-security-groups)
+ [VPC 安全组中的 Amazon RDS 数据库实例](#w2aac11c41c76c15)
## Amazon RDS 数据库实例资源
此示例显示了使用托管主用户密码的 Amazon RDS 数据库实例资源。有关更多信息,请参阅《Amazon RDS 用户指南》**中的[使用 AWS Secrets Manager 管理密码](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)和《Aurora 用户指南》**中的[使用 AWS Secrets Manager 管理密码](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html)。由于没有指定可选的 `EngineVersion` 属性,因此会将默认引擎版本用于此数据库实例。有关默认引擎版本和其他默认设置的详细信息,请参阅 [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html)。`DBSecurityGroups` 属性向名为 `MyDbSecurityByEC2SecurityGroup` 和 MyDbSecurityByCIDRIPGroup 的 `AWS::RDS::DBSecurityGroup` 资源授予网络入口权限。有关更多信息,请参阅 [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html)。数据库实例资源还有一个设置为 `Snapshot` 的 `DeletionPolicy` 属性。如果设置了 `Snapshot` `DeletionPolicy`,则在堆栈删除期间,CloudFormation 会首先拍摄该数据库实例的快照,然后再将其删除。
### JSON
```
1. "MyDB" : {
2. "Type" : "AWS::RDS::DBInstance",
3. "Properties" : {
4. "DBSecurityGroups" : [
5. {"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" : "MyDbSecurityByCIDRIPGroup"} ],
6. "AllocatedStorage" : "5",
7. "DBInstanceClass" : "db.t2.small",
8. "Engine" : "MySQL",
9. "MasterUsername" : "MyName",
10. "ManageMasterUserPassword" : true,
11. "MasterUserSecret" : {
12. "KmsKeyId" : {"Ref" : "KMSKey"}
13. }
14. },
15. "DeletionPolicy" : "Snapshot"
16. }
```
### YAML
```
1. MyDB:
2. Type: AWS::RDS::DBInstance
3. Properties:
4. DBSecurityGroups:
5. - Ref: MyDbSecurityByEC2SecurityGroup
6. - Ref: MyDbSecurityByCIDRIPGroup
7. AllocatedStorage: '5'
8. DBInstanceClass: db.t2.small
9. Engine: MySQL
10. MasterUsername: MyName
11. ManageMasterUserPassword: true
12. MasterUserSecret:
13. KmsKeyId: !Ref KMSKey
14. DeletionPolicy: Snapshot
```
## Amazon RDS Oracle Database 数据库实例资源
此示例创建了使用托管主用户密码的 Oracle Database 数据库实例资源。有关更多信息,请参阅《Amazon RDS 用户指南》**中的[使用 AWS Secrets Manager 管理密码](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)。此示例将 `Engine` 指定为 `oracle-ee` 并使用“自带许可”许可模式。有关 Oracle Database 数据库实例设置的详细信息,请参阅 [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html)。DBSecurityGroups 属性授权对名为 MyDbSecurityByEC2SecurityGroup 和 MyDbSecurityByCIDRIPGroup 的 `AWS::RDS::DBSecurityGroup` 资源的网络访问。有关更多信息,请参阅 [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html)。数据库实例资源还有一个设置为 `Snapshot` 的 `DeletionPolicy` 属性。如果设置了 `Snapshot` `DeletionPolicy`,则在堆栈删除期间,CloudFormation 会首先拍摄该数据库实例的快照,然后再将其删除。
### JSON
```
1. "MyDB" : {
2. "Type" : "AWS::RDS::DBInstance",
3. "Properties" : {
4. "DBSecurityGroups" : [
5. {"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" : "MyDbSecurityByCIDRIPGroup"} ],
6. "AllocatedStorage" : "5",
7. "DBInstanceClass" : "db.t2.small",
8. "Engine" : "oracle-ee",
9. "LicenseModel" : "bring-your-own-license",
10. "MasterUsername" : "master",
11. "ManageMasterUserPassword" : true,
12. "MasterUserSecret" : {
13. "KmsKeyId" : {"Ref" : "KMSKey"}
14. }
15. },
16. "DeletionPolicy" : "Snapshot"
17. }
```
### YAML
```
1. MyDB:
2. Type: AWS::RDS::DBInstance
3. Properties:
4. DBSecurityGroups:
5. - Ref: MyDbSecurityByEC2SecurityGroup
6. - Ref: MyDbSecurityByCIDRIPGroup
7. AllocatedStorage: '5'
8. DBInstanceClass: db.t2.small
9. Engine: oracle-ee
10. LicenseModel: bring-your-own-license
11. MasterUsername: master
12. ManageMasterUserPassword: true
13. MasterUserSecret:
14. KmsKeyId: !Ref KMSKey
15. DeletionPolicy: Snapshot
```
## 适用于 CIDR 范围的 Amazon RDS DBSecurityGroup 资源
此示例说明一个 Amazon RDS `DBSecurityGroup` 资源,该资源具有以 `ddd.ddd.ddd.ddd/dd` 格式指定的 CIDR 范围的入口授权。有关详细信息,请参阅 [AWS::RDS::DBSecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) 和 [Ingress](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-rds-dbsecuritygroup-ingress.html)。
### JSON
```
1. "MyDbSecurityByCIDRIPGroup" : {
2. "Type" : "AWS::RDS::DBSecurityGroup",
3. "Properties" : {
4. "GroupDescription" : "Ingress for CIDRIP",
5. "DBSecurityGroupIngress" : {
6. "CIDRIP" : "192.168.0.0/32"
7. }
8. }
9. }
```
### YAML
```
1. MyDbSecurityByCIDRIPGroup:
2. Type: AWS::RDS::DBSecurityGroup
3. Properties:
4. GroupDescription: Ingress for CIDRIP
5. DBSecurityGroupIngress:
6. CIDRIP: "192.168.0.0/32"
```
## 带 Amazon EC2 安全组的 Amazon RDS DBSecurityGroup
此示例展示的 [AWS::RDS::DBSecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) 资源具有 `MyEc2SecurityGroup` 所引用 Amazon EC2 安全组中的入口授权。
要执行此操作,您需要定义一个 EC2 安全组,然后在 `DBSecurityGroup` 中使用 `Ref` 内置函数引用该 EC2 安全组。
### JSON
```
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName" : { "Ref" : "DBName" },
"Engine" : "MySQL",
"MasterUsername" : { "Ref" : "DBUsername" },
"DBInstanceClass" : { "Ref" : "DBClass" },
"DBSecurityGroups" : [ { "Ref" : "DBSecurityGroup" } ],
"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
"MasterUserPassword": { "Ref" : "DBPassword" }
}
},
"DBSecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"DBSecurityGroupIngress": {
"EC2SecurityGroupName": {
"Fn::GetAtt": ["WebServerSecurityGroup", "GroupName"]
}
},
"GroupDescription" : "Frontend Access"
}
},
"WebServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 and SSH access",
"SecurityGroupIngress" : [
{"IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : 22, "ToPort" : 22, "CidrIp" : "0.0.0.0/0"}
]
}
}
```
### YAML
该示例提取自下面的完整示例:[Drupal\$1Single\$1Instance\$1With\$1RDS.template](https://s3.amazonaws.com/cloudformation-templates-us-east-1/Drupal_Single_Instance_With_RDS.template)
```
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBName:
Ref: DBName
Engine: MySQL
MasterUsername:
Ref: DBUsername
DBInstanceClass:
Ref: DBClass
DBSecurityGroups:
- Ref: DBSecurityGroup
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
DBSecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
DBSecurityGroupIngress:
EC2SecurityGroupName:
Ref: WebServerSecurityGroup
GroupDescription: Frontend Access
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
```
## 多 VPC 安全组
此示例显示的是具有 [AWS::RDS::DBSecurityGroupIngress](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroupingress.html) 中的多个 Amazon EC2 VPC 安全组的入口授权的 [AWS::RDS::DBSecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) 资源。
### JSON
```
{
"Resources" : {
"DBinstance" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.t2.small",
"DBName" : {"Ref": "MyDBName" },
"DBSecurityGroups" : [ { "Ref" : "DbSecurityByEC2SecurityGroup" } ],
"DBSubnetGroupName" : { "Ref" : "MyDBSubnetGroup" },
"Engine" : "MySQL",
"MasterUserPassword": { "Ref" : "MyDBPassword" },
"MasterUsername" : { "Ref" : "MyDBUsername" }
},
"DeletionPolicy" : "Snapshot"
},
"DbSecurityByEC2SecurityGroup" : {
"Type" : "AWS::RDS::DBSecurityGroup",
"Properties" : {
"GroupDescription" : "Ingress for Amazon EC2 security group",
"EC2VpcId" : { "Ref" : "MyVPC" },
"DBSecurityGroupIngress" : [ {
"EC2SecurityGroupId" : "sg-b0ff1111",
"EC2SecurityGroupOwnerId" : "111122223333"
}, {
"EC2SecurityGroupId" : "sg-ffd722222",
"EC2SecurityGroupOwnerId" : "111122223333"
} ]
}
}
}
}
```
### YAML
```
Resources:
DBinstance:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
DBName:
Ref: MyDBName
DBSecurityGroups:
- Ref: DbSecurityByEC2SecurityGroup
DBSubnetGroupName:
Ref: MyDBSubnetGroup
Engine: MySQL
MasterUserPassword:
Ref: MyDBPassword
MasterUsername:
Ref: MyDBUsername
DeletionPolicy: Snapshot
DbSecurityByEC2SecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: Ingress for Amazon EC2 security group
EC2VpcId:
Ref: MyVPC
DBSecurityGroupIngress:
- EC2SecurityGroupId: sg-b0ff1111
EC2SecurityGroupOwnerId: '111122223333'
- EC2SecurityGroupId: sg-ffd722222
EC2SecurityGroupOwnerId: '111122223333'
```
## VPC 安全组中的 Amazon RDS 数据库实例
该示例显示一个与 Amazon EC2 VPC 安全组关联的 Amazon RDS 数据库实例。
### JSON
```
{
"DBEC2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription": "Open database for access",
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : 3306,
"ToPort" : 3306,
"SourceSecurityGroupName" : { "Ref" : "WebServerSecurityGroup" }
}]
}
},
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName" : { "Ref" : "DBName" },
"Engine" : "MySQL",
"MultiAZ" : { "Ref": "MultiAZDatabase" },
"MasterUsername" : { "Ref" : "DBUser" },
"DBInstanceClass" : { "Ref" : "DBClass" },
"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
"MasterUserPassword": { "Ref" : "DBPassword" },
"VPCSecurityGroups" : [ { "Fn::GetAtt": [ "DBEC2SecurityGroup", "GroupId" ] } ]
}
}
}
```
### YAML
```
DBEC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3306
ToPort: 3306
SourceSecurityGroupName:
Ref: WebServerSecurityGroup
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBName:
Ref: DBName
Engine: MySQL
MultiAZ:
Ref: MultiAZDatabase
MasterUsername:
Ref: DBUser
DBInstanceClass:
Ref: DBClass
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
VPCSecurityGroups:
- !GetAtt DBEC2SecurityGroup.GroupId
```