AWS CloudFormation RDS Database

Overview

Create production-ready Amazon RDS infrastructure using AWS CloudFormation templates. Covers RDS instances (MySQL, PostgreSQL, Aurora), DB clusters, multi-AZ deployments, parameter groups, subnet groups, security groups, and cross-stack references.

When to Use

• Creating RDS instances (MySQL, PostgreSQL, Aurora) or DB clusters with read replicas
• Setting up multi-AZ deployments or configuring parameter/subnet groups
• Integrating with Secrets Manager or implementing cross-stack references

Quick Reference

AWS::RDS::DBInstance

AWS::RDS::DBCluster

AWS::RDS::DBSubnetGroup

AWS::RDS::DBParameterGroup

AWS::EC2::SecurityGroup

AWS::SecretsManager::Secret

Instructions

Step 1 — Define Database Parameters

Use AWS-specific parameter types for validation.

Parameters:
  DBInstanceClass:
    Type: AWS::RDS::DBInstance::InstanceType
    Default: db.t3.micro
    AllowedValues: [db.t3.micro, db.t3.small, db.t3.medium]

  Engine:
    Type: String
    Default: mysql
    AllowedValues: [mysql, postgres, aurora-mysql, aurora-postgresql]

  MasterUsername:
    Type: String
    Default: admin
    AllowedPattern: "^[a-zA-Z][a-zA-Z0-9]*$"
    MinLength: 1
    MaxLength: 16

  MasterUserPassword:
    Type: String
    NoEcho: true
    MinLength: 8
    MaxLength: 41

See template-structure.md for advanced parameter patterns, mappings, conditions, and cross-stack references.

Step 2 — Create DB Subnet Group

Required for VPC deployment with subnets in different AZs.

DBSubnetGroup:
  Type: AWS::RDS::DBSubnetGroup
  Properties:
    DBSubnetGroupDescription: Subnet group for RDS
    SubnetIds:
      - !Ref PrivateSubnet1
      - !Ref PrivateSubnet2

See database-components.md for parameter groups, option groups, and engine-specific configurations.

Step 3 — Configure Security Group

Restrict access to application tier only.

DBSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Security group for RDS
    VpcId: !Ref VpcId
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 3306
        ToPort: 3306
        SourceSecurityGroupId: !Ref AppSecurityGroup

See security-secrets.md for VPC security groups, encryption, Secrets Manager integration, and IAM authentication.

Step 4 — Launch RDS Instance

Configure instance with subnet group, security group, and settings.

DBInstance:
  Type: AWS::RDS::DBInstance
  Properties:
    DBInstanceIdentifier: !Sub "${AWS::StackName}-mysql"
    DBInstanceClass: !Ref DBInstanceClass
    Engine: !Ref Engine
    MasterUsername: !Ref MasterUsername
    MasterUserPassword: !Ref MasterUserPassword
    AllocatedStorage: 20
    StorageType: gp3
    DBSubnetGroupName: !Ref DBSubnetGroup
    VPCSecurityGroups: [!Ref DBSecurityGroup]
    StorageEncrypted: true
    MultiAZ: true
    BackupRetentionPeriod: 7
    DeletionProtection: false

See database-components.md for MySQL, PostgreSQL, Aurora cluster configurations, and parameter groups.

Step 5 — Enable High Availability

Configure multi-AZ deployment for production.

Conditions:
  IsProduction: !Equals [!Ref Environment, production]

Resources:
  DBInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      MultiAZ: !If [IsProduction, true, false]
      BackupRetentionPeriod: !If [IsProduction, 35, 7]
      DeletionProtection: !If [IsProduction, true, false]
      EnablePerformanceInsights: !If [IsProduction, true, false]

See high-availability.md for multi-AZ deployments, read replicas, Aurora auto-scaling, enhanced monitoring, and disaster recovery.

Step 6 — Define Outputs

Export connection details for application stacks.

Outputs:
  DBInstanceEndpoint:
    Description: Database endpoint address
    Value: !GetAtt DBInstance.Endpoint.Address
    Export:
      Name: !Sub ${AWS::StackName}-DBEndpoint

  DBInstancePort:
    Description: Database port
    Value: !GetAtt DBInstance.Endpoint.Port
    Export:
      Name: !Sub ${AWS::StackName}-DBPort

  DBConnectionString:
    Description: Connection string
    Value: !Sub jdbc:mysql://${DBInstance.Endpoint.Address}:${DBInstance.Endpoint.Port}/${DBName}

See template-structure.md for cross-stack reference patterns and import/export strategies.

Validation Steps

Always validate before deploying, especially to production.

# Validate the template syntax
aws cloudformation validate-template --template-body file://template.yaml

# Review the change set before applying updates
aws cloudformation create-change-set \
  --stack-name my-rds-stack \
  --template-body file://template.yaml \
  --change-set-type UPDATE

aws cloudformation describe-change-set --change-set-name <arn>

# Execute the change set if the preview looks correct
aws cloudformation execute-change-set --change-set-name <arn>

Best Practices

StorageEncrypted: true

IAMDatabaseAuthentication

MultiAZ: true

DeletionProtection: true

gp3

See operational-practices.md for detailed guidance on stack policies, termination protection, and backup strategies.

Examples

Complete production-ready RDS instance with MultiAZ, encryption, and Secrets Manager integration:

AWSTemplateFormatVersion: '2010-09-09'
Description: Production RDS Instance

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Identifier
  SubnetIds:
    Type: List<AWS::EC2::Subnet::Identifier>
  AppSecurityGroupId:
    Type: AWS::EC2::SecurityGroup::Id
  Environment:
    Type: String
    AllowedValues: [dev, staging, production]
  MasterUsername:
    Type: String
    Default: dbadmin

Conditions:
  IsProduction: !Equals [!Ref Environment, production]

Resources:
  DBSubnetGroup:
    Type: AWS::RDS::DBSubnetGroup
    Properties:
      DBSubnetGroupDescription: !Sub "${AWS::StackName} subnet group"
      SubnetIds: !Ref SubnetIds

  DBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub "${AWS::StackName} RDS security group"
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !Ref AppSecurityGroupId

  DBInstance:
    Type: AWS::RDS::DBInstance
    DeletionPolicy: Snapshot
    UpdateReplacePolicy: Snapshot
    Properties:
      DBInstanceIdentifier: !Sub "${AWS::StackName}-mysql"
      DBInstanceClass: db.t3.medium
      Engine: mysql
      EngineVersion: '8.0'
      MasterUsername: !Ref MasterUsername
      MasterUserPassword: !Ref MasterUserPassword
      AllocatedStorage: 50
      StorageType: gp3
      StorageEncrypted: true
      KmsKeyId: !Ref KmsKeyId
      DBSubnetGroupName: !Ref DBSubnetGroup
      VPCSecurityGroups: [!Ref DBSecurityGroup]
      MultiAZ: !If [IsProduction, true, false]
      BackupRetentionPeriod: !If [IsProduction, 35, 7]
      DeletionProtection: !If [IsProduction, true, false]
      EnablePerformanceInsights: !If [IsProduction, true, false]
      PerformanceInsightsRetentionPeriod: !If [IsProduction, 731, 7]

  KmsKeyId:
    Type: AWS::KMS::Key
    Condition: IsProduction
    Properties:
      Description: KMS key for RDS encryption
      EnableKeyRotation: true
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: kms:*
            Resource: '*'

Outputs:
  DBEndpoint:
    Description: Database endpoint
    Value: !GetAtt DBInstance.Endpoint.Address
    Export:
      Name: !Sub ${AWS::StackName}-DBEndpoint
  DBPort:
    Description: Database port
    Value: !GetAtt DBInstance.Endpoint.Port
    Export:
      Name: !Sub ${AWS::StackName}-DBPort

See examples.md for additional examples including Aurora clusters, read replicas, and multi-region setups.

References

Core Configuration

• template-structure.md — Template sections, parameters, mappings, conditions, outputs, cross-stack references
• database-components.md — DB instances, clusters, parameter groups, subnet groups, Aurora configurations
• security-secrets.md — Security groups, encryption, Secrets Manager, IAM authentication
• high-availability.md — Multi-AZ, read replicas, Aurora auto-scaling, disaster recovery

Operational Guides

• operational-practices.md — Stack policies, termination protection, drift detection, change sets, monitoring
• constraints.md — Resource limits, operational constraints, security constraints, cost considerations

Additional Resources

• examples.md — Complete production-ready examples
• reference.md — CloudFormation RDS resource reference

Constraints and Warnings

Resource Limits

• Maximum storage size varies by engine (up to 64 TB for MySQL/PostgreSQL)
• Maximum 500 resources per CloudFormation stack
• Parameter group limits vary by account/region

Cost Considerations

• Multi-AZ deployments cost approximately double single-AZ
• Provisioned IOPS (io1) significantly increases costs
• Backup storage beyond free tier incurs monthly costs
• Manual snapshots incur storage costs even after instance deletion

Security Constraints

• Master password cannot be retrieved after creation
• Encryption at rest cannot be disabled once enabled
• RDS instances must be in VPC (public access not recommended)
• Security group rules must restrict access to application tier

Operational Constraints

• Certain modifications (engine version, storage type) require instance replacement with downtime
• Maintenance windows may cause brief service interruptions
• Read replicas may lag behind primary by seconds to minutes
• Not all database engines available in all regions

See constraints.md for complete constraints, troubleshooting guides, and performance considerations.