giuseppe-trisciuoglio/developer-kit

Comprehensive developer toolkit providing reusable skills for Java/Spring Boot, TypeScript/NestJS/React/Next.js, Python, PHP, AWS CloudFormation, AI/RAG, DevOps, and more.

Quality

90%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Securityby

Risky

Do not use without reviewing

This version of the tile failed moderation

Moderation pipeline encountered an internal error

name:: aws-cloudformation-rds
description:: Provides AWS CloudFormation patterns for Amazon RDS databases. Use when creating RDS instances (MySQL, PostgreSQL, Aurora), DB clusters, multi-AZ deployments, parameter groups, subnet groups, and implementing template structure with Parameters, Outputs, Mappings, Conditions, and cross-stack references.
allowed-tools:: Read, Write, Bash

AWS CloudFormation RDS Database

Name: giuseppe-trisciuoglio/developer-kit
Rating: 90.85333333333334 (1 reviews)
Author: giuseppe-trisciuoglio

Overview

Create production-ready Amazon RDS infrastructure using AWS CloudFormation templates. Covers RDS instances (MySQL, PostgreSQL, Aurora), DB clusters, multi-AZ deployments, parameter groups, subnet groups, security groups, and cross-stack references.

When to Use

Creating RDS instances (MySQL, PostgreSQL, Aurora) or DB clusters with read replicas
Setting up multi-AZ deployments or configuring parameter/subnet groups
Integrating with Secrets Manager or implementing cross-stack references

Quick Reference

Component	CloudFormation Type	Use Case
DB Instance	`AWS::RDS::DBInstance`	Single database instance
DB Cluster	`AWS::RDS::DBCluster`	Aurora cluster
DB Subnet Group	`AWS::RDS::DBSubnetGroup`	VPC deployment
Parameter Group	`AWS::RDS::DBParameterGroup`	Database configuration
Security Group	`AWS::EC2::SecurityGroup`	Network access control
Secrets Manager	`AWS::SecretsManager::Secret`	Credential storage

Instructions

Step 1 — Define Database Parameters

Use AWS-specific parameter types for validation.

Parameters:
  DBInstanceClass:
    Type: AWS::RDS::DBInstance::InstanceType
    Default: db.t3.micro
    AllowedValues: [db.t3.micro, db.t3.small, db.t3.medium]

  Engine:
    Type: String
    Default: mysql
    AllowedValues: [mysql, postgres, aurora-mysql, aurora-postgresql]

  MasterUsername:
    Type: String
    Default: admin
    AllowedPattern: "^[a-zA-Z][a-zA-Z0-9]*$"
    MinLength: 1
    MaxLength: 16

  MasterUserPassword:
    Type: String
    NoEcho: true
    MinLength: 8
    MaxLength: 41

See template-structure.md for advanced parameter patterns, mappings, conditions, and cross-stack references.

Step 2 — Create DB Subnet Group

Required for VPC deployment with subnets in different AZs.

DBSubnetGroup:
  Type: AWS::RDS::DBSubnetGroup
  Properties:
    DBSubnetGroupDescription: Subnet group for RDS
    SubnetIds:
      - !Ref PrivateSubnet1
      - !Ref PrivateSubnet2

See database-components.md for parameter groups, option groups, and engine-specific configurations.

Step 3 — Configure Security Group

Restrict access to application tier only.

DBSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Security group for RDS
    VpcId: !Ref VpcId
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 3306
        ToPort: 3306
        SourceSecurityGroupId: !Ref AppSecurityGroup

See security-secrets.md for VPC security groups, encryption, Secrets Manager integration, and IAM authentication.

Step 4 — Launch RDS Instance

Configure instance with subnet group, security group, and settings.

DBInstance:
  Type: AWS::RDS::DBInstance
  Properties:
    DBInstanceIdentifier: !Sub "${AWS::StackName}-mysql"
    DBInstanceClass: !Ref DBInstanceClass
    Engine: !Ref Engine
    MasterUsername: !Ref MasterUsername
    MasterUserPassword: !Ref MasterUserPassword
    AllocatedStorage: 20
    StorageType: gp3
    DBSubnetGroupName: !Ref DBSubnetGroup
    VPCSecurityGroups: [!Ref DBSecurityGroup]
    StorageEncrypted: true
    MultiAZ: true
    BackupRetentionPeriod: 7
    DeletionProtection: false

See database-components.md for MySQL, PostgreSQL, Aurora cluster configurations, and parameter groups.

Step 5 — Enable High Availability

Configure multi-AZ deployment for production.

Conditions:
  IsProduction: !Equals [!Ref Environment, production]

Resources:
  DBInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      MultiAZ: !If [IsProduction, true, false]
      BackupRetentionPeriod: !If [IsProduction, 35, 7]
      DeletionProtection: !If [IsProduction, true, false]
      EnablePerformanceInsights: !If [IsProduction, true, false]

See high-availability.md for multi-AZ deployments, read replicas, Aurora auto-scaling, enhanced monitoring, and disaster recovery.

Step 6 — Define Outputs

Export connection details for application stacks.

Outputs:
  DBInstanceEndpoint:
    Description: Database endpoint address
    Value: !GetAtt DBInstance.Endpoint.Address
    Export:
      Name: !Sub ${AWS::StackName}-DBEndpoint

  DBInstancePort:
    Description: Database port
    Value: !GetAtt DBInstance.Endpoint.Port
    Export:
      Name: !Sub ${AWS::StackName}-DBPort

  DBConnectionString:
    Description: Connection string
    Value: !Sub jdbc:mysql://${DBInstance.Endpoint.Address}:${DBInstance.Endpoint.Port}/${DBName}

See template-structure.md for cross-stack reference patterns and import/export strategies.

Validation Steps

Always validate before deploying, especially to production.

# Validate the template syntax
aws cloudformation validate-template --template-body file://template.yaml

# Review the change set before applying updates
aws cloudformation create-change-set \
  --stack-name my-rds-stack \
  --template-body file://template.yaml \
  --change-set-type UPDATE

aws cloudformation describe-change-set --change-set-name <arn>

# Execute the change set if the preview looks correct
aws cloudformation execute-change-set --change-set-name <arn>

Best Practices

Category	Practice	Implementation
Security	Encryption at rest	`StorageEncrypted: true` with KMS key
Security	Credential management	Use Secrets Manager integration
Security	Network isolation	Private subnets, restrictive SG rules
Security	IAM authentication	Enable `IAMDatabaseAuthentication`
HA	Multi-AZ deployment	`MultiAZ: true` for production
HA	Deletion protection	`DeletionProtection: true` for production
HA	Backup retention	35 days for production, 7 for dev
HA	Read replicas	Use for read-heavy workloads
Cost	Storage type	Use `gp3` for cost efficiency
Cost	Instance sizing	Right-size based on workload
Cost	Serverless	Consider Aurora Serverless for variable loads
Operations	Change sets	Always review before applying updates
Operations	Drift detection	Enable for template compliance
Operations	Monitoring	Configure CloudWatch alarms

See operational-practices.md for detailed guidance on stack policies, termination protection, and backup strategies.

Examples

Complete production-ready RDS instance with MultiAZ, encryption, and Secrets Manager integration:

AWSTemplateFormatVersion: '2010-09-09'
Description: Production RDS Instance

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Identifier
  SubnetIds:
    Type: List<AWS::EC2::Subnet::Identifier>
  AppSecurityGroupId:
    Type: AWS::EC2::SecurityGroup::Id
  Environment:
    Type: String
    AllowedValues: [dev, staging, production]
  MasterUsername:
    Type: String
    Default: dbadmin

Conditions:
  IsProduction: !Equals [!Ref Environment, production]

Resources:
  DBSubnetGroup:
    Type: AWS::RDS::DBSubnetGroup
    Properties:
      DBSubnetGroupDescription: !Sub "${AWS::StackName} subnet group"
      SubnetIds: !Ref SubnetIds

  DBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub "${AWS::StackName} RDS security group"
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !Ref AppSecurityGroupId

  DBInstance:
    Type: AWS::RDS::DBInstance
    DeletionPolicy: Snapshot
    UpdateReplacePolicy: Snapshot
    Properties:
      DBInstanceIdentifier: !Sub "${AWS::StackName}-mysql"
      DBInstanceClass: db.t3.medium
      Engine: mysql
      EngineVersion: '8.0'
      MasterUsername: !Ref MasterUsername
      MasterUserPassword: !Ref MasterUserPassword
      AllocatedStorage: 50
      StorageType: gp3
      StorageEncrypted: true
      KmsKeyId: !Ref KmsKeyId
      DBSubnetGroupName: !Ref DBSubnetGroup
      VPCSecurityGroups: [!Ref DBSecurityGroup]
      MultiAZ: !If [IsProduction, true, false]
      BackupRetentionPeriod: !If [IsProduction, 35, 7]
      DeletionProtection: !If [IsProduction, true, false]
      EnablePerformanceInsights: !If [IsProduction, true, false]
      PerformanceInsightsRetentionPeriod: !If [IsProduction, 731, 7]

  KmsKeyId:
    Type: AWS::KMS::Key
    Condition: IsProduction
    Properties:
      Description: KMS key for RDS encryption
      EnableKeyRotation: true
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: kms:*
            Resource: '*'

Outputs:
  DBEndpoint:
    Description: Database endpoint
    Value: !GetAtt DBInstance.Endpoint.Address
    Export:
      Name: !Sub ${AWS::StackName}-DBEndpoint
  DBPort:
    Description: Database port
    Value: !GetAtt DBInstance.Endpoint.Port
    Export:
      Name: !Sub ${AWS::StackName}-DBPort

See examples.md for additional examples including Aurora clusters, read replicas, and multi-region setups.

References

Core Configuration

template-structure.md — Template sections, parameters, mappings, conditions, outputs, cross-stack references
database-components.md — DB instances, clusters, parameter groups, subnet groups, Aurora configurations
security-secrets.md — Security groups, encryption, Secrets Manager, IAM authentication
high-availability.md — Multi-AZ, read replicas, Aurora auto-scaling, disaster recovery

Operational Guides

operational-practices.md — Stack policies, termination protection, drift detection, change sets, monitoring
constraints.md — Resource limits, operational constraints, security constraints, cost considerations

Additional Resources

examples.md — Complete production-ready examples
reference.md — CloudFormation RDS resource reference

Constraints and Warnings

Resource Limits

Maximum storage size varies by engine (up to 64 TB for MySQL/PostgreSQL)
Maximum 500 resources per CloudFormation stack
Parameter group limits vary by account/region

Cost Considerations

Multi-AZ deployments cost approximately double single-AZ
Provisioned IOPS (io1) significantly increases costs
Backup storage beyond free tier incurs monthly costs
Manual snapshots incur storage costs even after instance deletion

Security Constraints

Master password cannot be retrieved after creation
Encryption at rest cannot be disabled once enabled
RDS instances must be in VPC (public access not recommended)
Security group rules must restrict access to application tier

Operational Constraints

Certain modifications (engine version, storage type) require instance replacement with downtime
Maintenance windows may cause brief service interruptions
Read replicas may lag behind primary by seconds to minutes
Not all database engines available in all regions

See constraints.md for complete constraints, troubleshooting guides, and performance considerations.

docs

plugins

developer-kit-aws

agents

docs

skills

aws

aws-cloudformation

aws-cloudformation-auto-scaling

aws-cloudformation-bedrock

aws-cloudformation-cloudfront

aws-cloudformation-cloudwatch

aws-cloudformation-dynamodb

aws-cloudformation-ec2

aws-cloudformation-ecs

aws-cloudformation-elasticache

aws-cloudformation-iam

aws-cloudformation-lambda

aws-cloudformation-rds

references

SKILL.md

aws-cloudformation-s3

aws-cloudformation-security

aws-cloudformation-task-ecs-deploy-gh

aws-cloudformation-vpc

README.md

developer-kit-core

developer-kit-devops

developer-kit-java

developer-kit-project-management

developer-kit-specs

developer-kit-typescript

github-spec-kit

scripts

giuseppe-trisciuoglio/developer-kit

SKILL.md.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}plugins/developer-kit-aws/skills/aws-cloudformation/aws-cloudformation-rds/

AWS CloudFormation RDS Database

Overview

When to Use

Quick Reference

Instructions

Step 1 — Define Database Parameters

Step 2 — Create DB Subnet Group

Step 3 — Configure Security Group

Step 4 — Launch RDS Instance

Step 5 — Enable High Availability

Step 6 — Define Outputs

Validation Steps

Best Practices

Examples

References

Core Configuration

Operational Guides

Additional Resources

Constraints and Warnings

Resource Limits

Cost Considerations

Security Constraints

Operational Constraints

SKILL.mdplugins/developer-kit-aws/skills/aws-cloudformation/aws-cloudformation-rds/