template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: |
  An AWS Lambda function and an Amazon Aurora PostgreSQL DB in an Aurora Serverless v2 DB cluster with RDS Data API and a Secrets Manager secret. (uksb-1tthgi812) (tag:lambda-aurora-serverlessv2-postgresql)

# Global values that are applied to all applicable resources in this template
Globals:
  Function:
    CodeUri: ./src
    Runtime: python3.12
    MemorySize: 128
    Timeout: 10
    LoggingConfig:
      LogFormat: JSON
    Architectures:
      - arm64
    Tags:
      project: lambda-aurora-serverlessv2-postgresql

Parameters:
  DBClusterName:
    Description: Aurora DB cluster name.
    Type: String
    Default: aurora-test-cluster
  DatabaseName:
    Description: Aurora database name.
    Type: String
    Default: aurora_test_db
    AllowedPattern: '[a-zA-Z][a-zA-Z0-9_]*'
    ConstraintDescription: Must begin with a letter and only contain alphanumeric characters.
  DBAdminUserName:
    Description: The admin user name.
    Type: String
    Default: admin_user
    MinLength: '2'
    MaxLength: '16'
    AllowedPattern: '[a-zA-Z0-9_]+'
    ConstraintDescription: Must be between 2 to 16 alphanumeric characters.

Resources:
  # Secrets Manager secret
  DBSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub ${DBClusterName}-AuroraUserSecret
      Description: RDS database auto-generated user password
      Tags:
        - Key: project
          Value: lambda-aurora-serverlessv2-postgresql
      GenerateSecretString:
        SecretStringTemplate: !Sub '{"username": "${DBAdminUserName}"}'
        GenerateStringKey: password
        PasswordLength: 30
        ExcludeCharacters: '"@/\'
  # Aurora Serverless v2 DB Cluster with Data API
  AuroraCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      Tags:
        - Key: project
          Value: lambda-aurora-serverlessv2-postgresql
      DBClusterIdentifier: !Ref DBClusterName
      MasterUsername: !Sub '{{resolve:secretsmanager:${DBSecret}:SecretString:username}}'
      MasterUserPassword: !Sub '{{resolve:secretsmanager:${DBSecret}:SecretString:password}}'
      DatabaseName: !Ref DatabaseName
      Engine: aurora-postgresql
      EngineMode: provisioned
      StorageEncrypted: true
      # Enable the Data API for Aurora Serverless
      EnableHttpEndpoint: true
      ServerlessV2ScalingConfiguration:
        MinCapacity: 0.5
        MaxCapacity: 1
  AuroraInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      Tags:
        - Key: project
          Value: lambda-aurora-serverlessv2-postgresql
      Engine: aurora-postgresql
      DBInstanceClass: db.serverless
      DBClusterIdentifier: !Ref AuroraCluster
      PubliclyAccessible: false
  # Lambda Function - uses Globals to define additional configuration values
  LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ${DBClusterName}-function
      Handler: app.lambda_handler
      # Function environment variables
      Environment:
        Variables:
          DBClusterArn: !Sub arn:aws:rds:${AWS::Region}:${AWS::AccountId}:cluster:${DBClusterName}
          DBName: !Ref DatabaseName
          SecretArn: !Ref DBSecret
      # Creates an IAM Role that defines the services the function can access and which actions the function can perform
      Policies:
        - AWSSecretsManagerGetSecretValuePolicy:
            SecretArn: !Ref DBSecret
        - Statement:
            - Effect: Allow
              Action: rds-data:ExecuteStatement
              Resource: !Sub arn:aws:rds:${AWS::Region}:${AWS::AccountId}:cluster:${DBClusterName}
      Events:
        Bucket:
          Type: S3
          Properties:
            Bucket: !Ref Bucket
            Events:
              - s3:ObjectCreated:*
              - s3:ObjectRemoved:*
  Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${AWS::StackName}-bucket-${AWS::AccountId}
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: alias/aws/s3
      PublicAccessBlockConfiguration:
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  BucketBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref Bucket
      PolicyDocument:
        Id: RequireEncryptionInTransit
        Version: '2012-10-17'
        Statement:
          - Principal: '*'
            Action: '*'
            Effect: Deny
            Resource:
              - !GetAtt Bucket.Arn
              - !Sub ${Bucket.Arn}/*
            Condition:
              Bool:
                aws:SecureTransport: 'false'

Outputs:
  DBClusterArn:
    Description: Aurora DB Cluster Resource ARN
    Value: !Sub arn:aws:rds:${AWS::Region}:${AWS::AccountId}:cluster:${DBClusterName}
  DBClusterEndpoint:
    Description: Aurora DB Cluster Endpoint Address
    Value: !GetAtt AuroraCluster.Endpoint.Address
  DBName:
    Description: Aurora Database Name
    Value: !Ref DatabaseName
  DBAdminUserName:
    Description: Aurora Database Admin User
    Value: !Ref DBAdminUserName
  SecretArn:
    Description: Secrets Manager Secret ARN
    Value: !Ref DBSecret