aws.rds

Resource manager for RDS DB instances.

Filters

db-parameter

Applies value type filter on set db parameter values. :example:

policies:
  - name: rds-pg
    resource: rds
    filters:
      - type: db-parameter
        key: someparam
        op: eq
        value: someval
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - db-parameter
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

default-vpc

Matches if an rds database is in the default vpc

example

policies:
  - name: default-vpc-rds
    resource: rds
    filters:
      - type: default-vpc
properties:
  type:
    enum:
    - default-vpc
required:
- type

kms-alias

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - kms-alias
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

upgrade-available

Scan DB instances for available engine upgrades

This will pull DB instances & check their specific engine for any engine version with higher release numbers than the current one

This will also annotate the rds instance with ‘target_engine’ which is the most recent version of the engine available

example

policies:
  - name: rds-upgrade-available
    resource: rds
    filters:
      - type: upgrade-available
        major: False
properties:
  major:
    type: boolean
  type:
    enum:
    - upgrade-available
  value:
    type: boolean
required:
- type

Actions

auto-patch

Toggle AutoMinorUpgrade flag on RDS instance

‘window’ parameter needs to be in the format ‘ddd:hh:mm-ddd:hh:mm’ and have at least 30 minutes between start & end time. If ‘window’ is not specified, AWS will assign a random maintenance window to each instance selected.

example

policies:
  - name: enable-rds-autopatch
    resource: rds
    filters:
      - AutoMinorVersionUpgrade: false
    actions:
      - type: auto-patch
        minor: true
        window: Mon:23:00-Tue:01:00
properties:
  minor:
    type: boolean
  type:
    enum:
    - auto-patch
  window:
    type: string
required:
- type

delete

Deletes selected RDS instances

This will delete RDS instances. It is recommended to apply with a filter to avoid deleting all RDS instances in the account.

example

policies:
  - name: rds-delete
    resource: rds
    filters:
      - default-vpc
    actions:
      - type: delete
        skip-snapshot: true
properties:
  copy-restore-info:
    type: boolean
  skip-snapshot:
    type: boolean
  type:
    enum:
    - delete
required:
- type

modify-db

Modifies an RDS instance based on specified parameter using ModifyDbInstance.

‘Update’ is an array with with key value pairs that should be set to the property and value you wish to modify. ‘Immediate” determines whether the modification is applied immediately or not. If ‘immediate’ is not specified, default is false.

example

policies:
  - name: disable-rds-deletion-protection
    resource: rds
    filters:
      - DeletionProtection: true
      - PubliclyAccessible: true
    actions:
      - type: modify-db
        update:
          - property: 'DeletionProtection'
            value: false
          - property: 'PubliclyAccessible'
            value: false
        immediate: true
properties:
  immediate:
    type: boolean
  type:
    enum:
    - modify-db
  update:
    items:
      properties:
        property:
          enum:
          - AllocatedStorage
          - DBInstanceClass
          - DBSubnetGroupName
          - DBSecurityGroups
          - VpcSecurityGroupIds
          - MasterUserPassword
          - DBParameterGroupName
          - BackupRetentionPeriod
          - PreferredBackupWindow
          - PreferredMaintenanceWindow
          - MultiAZ
          - EngineVersion
          - AllowMajorVersionUpgrade
          - AutoMinorVersionUpgrade
          - LicenseModel
          - Iops
          - OptionGroupName
          - NewDBInstanceIdentifier
          - StorageType
          - TdeCredentialArn
          - TdeCredentialPassword
          - CACertificateIdentifier
          - Domain
          - CopyTagsToSnapshot
          - MonitoringInterval
          - DBPortNumber
          - PubliclyAccessible
          - DomainIAMRoleName
          - PromotionTier
          - EnableIAMDatabaseAuthentication
          - EnablePerformanceInsights
          - PerformanceInsightsKMSKeyId
          - PerformanceInsightsRetentionPeriod
          - CloudwatchLogsExportConfiguration
          - UseDefaultProcessorFeatures
          - DeletionProtection
          type: string
        value: {}
      type: object
    type: array
required:
- update

resize

Change the allocated storage of an rds instance.

example

This will find databases using over 85% of their allocated storage, and resize them to have an additional 30% storage the resize here is async during the next maintenance.

policies:
  - name: rds-resize-up
    resource: rds
    filters:
      - type: metrics
        name: FreeStorageSpace
        percent-attr: AllocatedStorage
        attr-multiplier: 1073741824
        value: 90
        op: greater-than
    actions:
      - type: resize
        percent: 30

This will find databases using under 20% of their allocated storage, and resize them to be 30% smaller, the resize here is configured to be immediate.

policies:
  - name: rds-resize-down
    resource: rds
    filters:
      - type: metrics
        name: FreeStorageSpace
        percent-attr: AllocatedStorage
        attr-multiplier: 1073741824
        value: 90
        op: greater-than
    actions:
      - type: resize
        percent: -30
        immediate: true
properties:
  immediate:
    type: boolean
  percent:
    type: number
  type:
    enum:
    - resize
required:
- type

retention

Sets the ‘BackupRetentionPeriod’ value for automated snapshots, enforce (min, max, exact) sets retention days occordingly. :example:

policies:
  - name: rds-snapshot-retention
    resource: rds
    filters:
      - type: value
        key: BackupRetentionPeriod
        value: 7
        op: lt
    actions:
      - type: retention
        days: 7
        copy-tags: true
        enforce: exact
properties:
  copy-tags:
    type: boolean
  days:
    type: number
  enforce:
    enum:
    - min
    - max
    - exact
    type: string
  type:
    enum:
    - retention
required:
- type

set-public-access

This action allows for toggling an RDS instance ‘PubliclyAccessible’ flag to true or false

example

policies:
  - name: disable-rds-public-accessibility
    resource: rds
    filters:
      - PubliclyAccessible: true
    actions:
      - type: set-public-access
        state: false
properties:
  state:
    type: boolean
  type:
    enum:
    - set-public-access
required:
- type

set-snapshot-copy-tags

Enables copying tags from rds instance to snapshot

DEPRECATED - use modify-db instead with CopyTagsToSnapshot

example
policies:
  - name: enable-rds-snapshot-tags
    resource: rds
    filters:
      - type: value
        key: Engine
        value: aurora
        op: eq
    actions:
      - type: set-snapshot-copy-tags
        enable: True
properties:
  enable:
    type: boolean
  type:
    enum:
    - set-snapshot-copy-tags
required:
- type

snapshot

Creates a manual snapshot of a RDS instance

example

policies:
  - name: rds-snapshot
    resource: rds
    actions:
      - snapshot
properties:
  type:
    enum:
    - snapshot
required:
- type

start

Start an rds instance.

properties:
  type:
    enum:
    - start
required:
- type

stop

Stop an rds instance.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_StopInstance.html

properties:
  type:
    enum:
    - stop
required:
- type

upgrade

Upgrades a RDS instance to the latest major/minor version available

Use of the ‘immediate’ flag (default False) will automatically upgrade the RDS engine disregarding the existing maintenance window.

example

policies:
  - name: upgrade-rds-minor
    resource: rds
    actions:
      - type: upgrade
        major: False
        immediate: False
properties:
  immediate:
    type: boolean
  major:
    type: boolean
  type:
    enum:
    - upgrade
required:
- type