Attention

For production workloads, we recommend sing Lookup you can use existing OpenSearch clusters with your new services. This will avoid accidental deletions or rollback situations where both your DB and services have to rollback.

x-rds

x-rds:
  dbA:
    Properties: {}
    MacroParameters: {}
    Services: {}
    Lookup: {}

Define RDS DB Instances/Clusters and/or use existing ones and link access to the services.

When creating new RDS resources, compose-x will use AWS Secrets Manager to automatically register the new database username / password and passes it on to the services. See SecretsMapping and Database Credentials for more details.

See also

See Change AWS RDS / DocumentDB secret environment variables for a step by step example to change the SecretsMapping

Services

Access

Access:
  DBCluster: RO
GenerateConnectionStringSecret: <string>

The only valid key for Access is DBCluster. The only valid value is RO for read-only, which allows IAM calls to RDS to describe the cluster.

ReturnValues

Use the AWS RDS DBCluster Return Values to expose the value for these properties to your service as an environment variable. If you are creating a RDS DB Instance, see AWS RDS DB Instance Return Values .

The value DBCluster can be used to expose the value for Ref

GrantTaskAccess

Allow to grant secret access to the Task Role. Can be either a boolean or mapping to specify an environment variable name with the ARN of the secret

Services:
  app01:
    Access: RW
  app03:
    Access: RW
    GrantTaskAccess:
      SecretEnvName: DB_B_SECRET # Grants access to the secret, sets env var DB_B_SECRET to the ARN
  youtoo:
    Access: RW
    GrantTaskAccess: True # Grants access to the secret, not setting an env var

GenerateConnectionStringSecret

This option enables to create a new secret that will be generated from the RDS Secret. The feature works for both newly created DBs and existing DBs (using Lookup).

Warning

Once the secret has been created, if the root secret of the DB has changed, the value in the generated secret will not be updated! Use at your own risks

Hint

Avoid to require the DB Connection string and have a separate environment variable for each part of the connection.

Example: postgres://username:password@cluster-hostname:port/dbname

SecretsMapping

This is an optional feature that allows you to map the secret key stored into Secrets Manager (see Database Credentials ) to a different environment variable.

Sample for bitnami wordpress application
x-rds:
  wordpress-db:
    Properties:
      Engine: "aurora-mysql"
      EngineVersion: "5.7"
      BackupRetentionPeriod: 1
      DatabaseName: wordpress
      StorageEncrypted: True
      Tags:
        - Key: Name
          Value: "dummy-db"
    Services:
      wordpress:
        Access:
          DBCluster: RO
        SecretsMappings:
          Mappings:
            host: MARIADB_HOST
            port: MARIADB_PORT_NUMBER
            username: WORDPRESS_DATABASE_USER
            password: WORDPRESS_DATABASE_PASSWORD
            dbname: WORDPRESS_DATABASE_NAME

Hint

Using a mapping/dict format avoids duplicates. If you need the same value more than once, use the list syntax, as shown in the previous example.

If you combine the mappings for all services to specific mappings for one service, the specific ones take precedence.

Properties

RDS clusters or instances need a lot of properties. In order to keep compatibility you can still provide all the properties that the RDS Cluster or RDS Instance would need with the same definition as in AWS CloudFormation.

However, some settings will be replaced automatically (at least for the foreseeable future), such as the master username and password. The reason for it is to allow to keep integration to your ECS Services as seamless as possible.

Note

When using Properties, you can use either the RDS Aurora Cluster properties or RDS Instances properties. ECS ComposeX will attempt to automatically identify whether this is a DB Cluster or DB Instance properties set. If successful, it will ingest all your properties, and interpolate a few with new ones created for you.

Properties overridden

MacroParameters

MacroParameters for RDS allow you to set only very little settings / properties and let ECS ComposeX do the rest for you.

MacroParameters syntax
Engine: str
EngineVersion: str
UseServerless: bool
UseMultiAz: bool
ParametersGroup: {}         # Properties for parameters group as per AWS CFN definition
Instances: []               # Only valid when creating a DBCluster, allows to define multiple DB Instances
RdsFeatures: {}             # Custom settings to define AWS RDS AssociatedRoles
PermissionsBoundary: str    # Allow you to define an IAM boundary policy that will be used for the RDS IAM role(s)
MacroParameters definitions example
Engine: aurora-postgresql # Same as AWS CFN Engine property
EngineVersion: 11.7 # Same as AWS CFN EngineVersion property
UseServerless: False
UseMultiAz: True
ParametersGroups:
  Description: Some description
  Family: aurora-postgresql-11.7
  Parameters: {}
Instances: []
RdsFeatures:
  - Name: s3Import
    Resources:
      - x-s3::bucket-01
      - arn:aws:s3:::bucket/path/allowed/*
      - bucket-name

PermissionsBoundary

Allows to define whether an IAM Policy boundary is required for the IAM roles that will be created around the RDS Cluster/Instance.

Hint

This value can be either a policy name or policy ARN. When a policy Name, the ARN is built based on your Account ID.

RdsFeatures

Syntax definition
RdsFeatures:
  - Name: <DB Engine feature name>
  - Resources: [<str>]

The RDS Features is a wrapper to automatically define which RDS Features, supported by the Engine family, you might want to enable. For these features, which require an IAM role, it will create a new IAM role specifically linked to RDS and grant permissions based on the what the feature requires.

If you had set AssociatedRoles already in the permissions, then each FeatureName you have already defined that you might re-define in RdsFeatures will be skipped. If you wish to use RdsFeatures then remove that feature from the AssociateRoles definition.

Attention

This was primarily developed to allow feature request #375 so at the moment it only supports s3Import and s3Export.

Example with different bucket names syntax
x-rds:
  dbB:
    Properties: {}
    MacroParameters:
      PermissionsBoundary: policy-name
      RdsFeatures:
        - Name: s3Import
          Resources:
            - x-s3::bucket-01
            - arn:aws:s3:::sacrificial-lamb/folder/*
            - bucket-name
        - Name: s3Export
          Resources:
            - x-s3::bucket-01
            - arn:aws:s3:::sacrificial-lamb/folder/*
            - bucket-name

Hint

You can reference a S3 bucket defined in x-s3 . This supports S3 buckets created and referenced via Lookup

Settings

Refer to Settings

Lookup

For x-rds, Lookup will 2 sub-arguments (cluster and instance are mutually exclusive). cluser or instance allow you to identify the RDS DB Cluster or DB Instance you wish your services to connect to.

Optionally (highly recommended), you can also set secret which indicates which secret in AWS Secrets Manager the service should be allowed to retrieve to connect to said Cluster / Instance.

It will also automatically identify the DB security group and add an ingress rule.

x-rds:
  dba:
    Lookup:
      cluster:
        Name: cluster-identifier
        Tags:
          - sometag: value
      instance:
        Name: DB Instance Id
        Tags:
          - sometag: value
      secret:
        Tags:
          - sometag: value
        Name: secret/in/secretsmanager

Database Credentials

Aurora and traditional RDS Databases support both Username/Password generic authentication. Due to the wide adoption of that authentication mechanism, all RDS Dbs will come with a username/password, auto generated and stored in AWS Secrets Manager.

AWS Secrets Manager integrates very nicely to AWS RDS. This has no intention to implement the rotation system at this point in time, however, it will generate the password for the database and expose it securely to the microservices which can via environment variables fetch

After attachment between the RDS and the secret, the secret will not only contain the username and password, but additional information that is required by your application to connect to the database.

{
  "password": "string<>"
  "dbname": "string<>",
  "engine": "string<>",
  "port": int<port>,
  "host": "string<>"
  "username": "string<>"
}

Hint

We do plan to allow a tick button to enable Aurora authentication with IAM, however have not received a Feature Request for it.

Examples

New DB Creation
x-rds:
  dbname:
    Properties:
      Engine: aurora-mysql
      EngineVersion: 5.7.12
    Services:
      app01:
        Access:
          DBCluster: RO
Existing Cluster DB Lookup
x-rds:
  existing-cluster-dbA:
    Lookup:
      cluster:
        Tags:
          - key: value
      secret:
        Tags:
          - key: value

Hint

The DB Family group will be found automatically and the setting will allow creation of a new RDS Parameter group for the Cluster / DB Instance.

Tip

You can find the test files here to use as reference for your use-case.

JSON Schema

Model

x-rds

x-rds.spec.json

x-rds specification

type

object

properties

  • Lookup

#/definitions/Lookup

  • Properties

type

object

  • Settings

#/definitions/SettingsDef

  • Services

#/definitions/ServicesDef

  • MacroParameters

#/definitions/RdsMacros

additionalProperties

False

definitions

  • ServicesDef

x-rds-common.spec.json#/definitions/ServicesObjectDef

  • ServicesObjectDef

type

object

patternProperties

  • [\x20-\x7E]+$

Object representation of the service to use.

properties

  • Access

oneOf

type

string

type

object

  • SecretsMappings

#/definitions/SecretsMappingsDef

  • GenerateConnectionStringSecret

If set, creates an additional secret that will represent the connection string to the DB, and sets the environment variable

type

string

  • ReturnValues

Set the CFN Return Value and the environment variable name you want to expose to the service

type

object

patternProperties

  • [\x20-\x7E]+$

oneOf

x-resources.common.spec.json#/definitions/varNameDef

type

object

properties

  • EnvVarName

x-resources.common.spec.json#/definitions/varNameDef

additionalProperties

False

additionalProperties

False

  • ServicesListDef

type

array

items

type

object

properties

  • name

type

string

  • access

oneOf

type

string

type

object

properties

  • DBCluster

type

string

additionalProperties

True

  • SecretsMappings

#/definitions/SecretsMappingsDef

  • SettingsDef

type

object

properties

  • SecretsMappings

#/definitions/SecretsMappingsDef

  • Subnets

type

string

  • SecretsMappingsDef

type

object

properties

  • PrefixWithDbName

type

string / boolean

  • Mappings

oneOf

#/definitions/SecretsMappingsList

#/definitions/SecretsMappingsObject

additionalProperties

False

  • SecretsMappingsList

type

array

items

type

object

properties

  • SecretKey

type

string

  • VarName

type

string

pattern

^[a-zA-Z0-9_]+$

additionalProperties

False

  • SecretsMappingsObject

type

object

patternProperties

  • ^[a-zA-Z0-9_]+$

type

string

  • Lookup

type

object

properties

  • RoleArn

x-resources.common.spec.json#/definitions/Lookup/properties/RoleArn

  • cluster

type

object

properties

  • Name

type

string

  • Tags

x-resources.common.spec.json#/definitions/Lookup/properties/Tags

  • db

type

object

properties

  • Name

type

string

  • Tags

x-resources.common.spec.json#/definitions/Lookup/properties/Tags

  • secret

type

object

properties

  • Name

type

string

  • Tags

x-resources.common.spec.json#/definitions/Lookup/properties/Tags

  • RdsMacros

type

object

properties

  • Engine

The RDS Engine name

type

string

  • EngineVersion

type

string

Definition

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "id": "x-rds.spec.json",
  "$id": "x-rds.spec.json",
  "title": "x-rds",
  "description": "x-rds specification",
  "type": "object",
  "additionalProperties": false,
  "properties": {
    "Lookup": {
      "$ref": "#/definitions/Lookup"
    },
    "Properties": {
      "type": "object"
    },
    "Settings": {
      "$ref": "#/definitions/SettingsDef"
    },
    "Services": {
      "$ref": "#/definitions/ServicesDef"
    },
    "MacroParameters": {
      "$ref": "#/definitions/RdsMacros"
    }
  },
  "definitions": {
    "ServicesDef": {
      "$ref": "x-rds-common.spec.json#/definitions/ServicesObjectDef"
    },
    "ServicesObjectDef": {
      "type": "object",
      "patternProperties": {
        "[\\x20-\\x7E]+$": {
          "description": "Object representation of the service to use.",
          "properties": {
            "Access": {
              "oneOf": [
                {
                  "type": "string"
                },
                {
                  "type": "object"
                }
              ]
            },
            "SecretsMappings": {
              "$ref": "#/definitions/SecretsMappingsDef"
            },
            "GenerateConnectionStringSecret": {
              "type": "string",
              "description": "If set, creates an additional secret that will represent the connection string to the DB, and sets the environment variable"
            },
            "ReturnValues": {
              "type": "object",
              "description": "Set the CFN Return Value and the environment variable name you want to expose to the service",
              "additionalProperties": false,
              "patternProperties": {
                "[\\x20-\\x7E]+$": {
                  "oneOf": [
                    {
                      "$ref": "x-resources.common.spec.json#/definitions/varNameDef"
                    },
                    {
                      "type": "object",
                      "additionalProperties": false,
                      "properties": {
                        "EnvVarName": {
                          "$ref": "x-resources.common.spec.json#/definitions/varNameDef"
                        }
                      }
                    }
                  ]
                }
              }
            }
          }
        }
      }
    },
    "ServicesListDef": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string"
          },
          "access": {
            "oneOf": [
              {
                "type": "string"
              },
              {
                "type": "object",
                "additionalProperties": true,
                "required": [
                  "DBCluster"
                ],
                "properties": {
                  "DBCluster": {
                    "type": "string"
                  }
                }
              }
            ]
          },
          "SecretsMappings": {
            "$ref": "#/definitions/SecretsMappingsDef"
          }
        }
      }
    },
    "SettingsDef": {
      "type": "object",
      "properties": {
        "SecretsMappings": {
          "$ref": "#/definitions/SecretsMappingsDef"
        },
        "Subnets": {
          "type": "string"
        }
      }
    },
    "SecretsMappingsDef": {
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "PrefixWithDbName": {
          "type": [
            "string",
            "boolean"
          ]
        },
        "Mappings": {
          "oneOf": [
            {
              "$ref": "#/definitions/SecretsMappingsList"
            },
            {
              "$ref": "#/definitions/SecretsMappingsObject"
            }
          ]
        }
      }
    },
    "SecretsMappingsList": {
      "type": "array",
      "items": {
        "type": "object",
        "additionalProperties": false,
        "required": [
          "SecretKey"
        ],
        "properties": {
          "SecretKey": {
            "type": "string"
          },
          "VarName": {
            "type": "string",
            "pattern": "^[a-zA-Z0-9_]+$"
          }
        }
      }
    },
    "SecretsMappingsObject": {
      "type": "object",
      "patternProperties": {
        "^[a-zA-Z0-9_]+$": {
          "type": "string"
        }
      }
    },
    "Lookup": {
      "type": "object",
      "oneOf": [
        {
          "required": [
            "cluster"
          ]
        },
        {
          "required": [
            "db"
          ]
        }
      ],
      "properties": {
        "RoleArn": {
          "$ref": "x-resources.common.spec.json#/definitions/Lookup/properties/RoleArn"
        },
        "cluster": {
          "type": "object",
          "properties": {
            "Name": {
              "type": "string"
            },
            "Tags": {
              "$ref": "x-resources.common.spec.json#/definitions/Lookup/properties/Tags"
            }
          }
        },
        "db": {
          "type": "object",
          "properties": {
            "Name": {
              "type": "string"
            },
            "Tags": {
              "$ref": "x-resources.common.spec.json#/definitions/Lookup/properties/Tags"
            }
          }
        },
        "secret": {
          "type": "object",
          "properties": {
            "Name": {
              "type": "string"
            },
            "Tags": {
              "$ref": "x-resources.common.spec.json#/definitions/Lookup/properties/Tags"
            }
          }
        }
      }
    },
    "RdsMacros": {
      "type": "object",
      "properties": {
        "Engine": {
          "type": "string",
          "description": "The RDS Engine name"
        },
        "EngineVersion": {
          "type": "string"
        }
      }
    }
  }
}

Test files

You can find the test files here to use as reference for your use-case.