aws.rds¶
Resource manager for RDS DB instances.
Filters¶
db-parameter¶
Applies value type filter on set db parameter values. :example:
policies:
- name: rds-pg
resource: rds
filters:
- type: db-parameter
key: someparam
op: eq
value: someval
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- db-parameter
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
default-vpc¶
Matches if an rds database is in the default vpc
- example
policies:
- name: default-vpc-rds
resource: rds
filters:
- type: default-vpc
properties:
type:
enum:
- default-vpc
required:
- type
kms-alias¶
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- kms-alias
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
upgrade-available¶
Scan DB instances for available engine upgrades
This will pull DB instances & check their specific engine for any engine version with higher release numbers than the current one
This will also annotate the rds instance with ‘target_engine’ which is the most recent version of the engine available
- example
policies:
- name: rds-upgrade-available
resource: rds
filters:
- type: upgrade-available
major: False
properties:
major:
type: boolean
type:
enum:
- upgrade-available
value:
type: boolean
required:
- type
Actions¶
auto-patch¶
Toggle AutoMinorUpgrade flag on RDS instance
‘window’ parameter needs to be in the format ‘ddd:hh:mm-ddd:hh:mm’ and have at least 30 minutes between start & end time. If ‘window’ is not specified, AWS will assign a random maintenance window to each instance selected.
- example
policies:
- name: enable-rds-autopatch
resource: rds
filters:
- AutoMinorVersionUpgrade: false
actions:
- type: auto-patch
minor: true
window: Mon:23:00-Tue:01:00
properties:
minor:
type: boolean
type:
enum:
- auto-patch
window:
type: string
required:
- type
delete¶
Deletes selected RDS instances
This will delete RDS instances. It is recommended to apply with a filter to avoid deleting all RDS instances in the account.
- example
policies:
- name: rds-delete
resource: rds
filters:
- default-vpc
actions:
- type: delete
skip-snapshot: true
properties:
copy-restore-info:
type: boolean
skip-snapshot:
type: boolean
type:
enum:
- delete
required:
- type
modify-db¶
Modifies an RDS instance based on specified parameter using ModifyDbInstance.
‘Update’ is an array with with key value pairs that should be set to the property and value you wish to modify. ‘Immediate” determines whether the modification is applied immediately or not. If ‘immediate’ is not specified, default is false.
- example
policies:
- name: disable-rds-deletion-protection
resource: rds
filters:
- DeletionProtection: true
- PubliclyAccessible: true
actions:
- type: modify-db
update:
- property: 'DeletionProtection'
value: false
- property: 'PubliclyAccessible'
value: false
immediate: true
properties:
immediate:
type: boolean
type:
enum:
- modify-db
update:
items:
properties:
property:
enum:
- AllocatedStorage
- DBInstanceClass
- DBSubnetGroupName
- DBSecurityGroups
- VpcSecurityGroupIds
- MasterUserPassword
- DBParameterGroupName
- BackupRetentionPeriod
- PreferredBackupWindow
- PreferredMaintenanceWindow
- MultiAZ
- EngineVersion
- AllowMajorVersionUpgrade
- AutoMinorVersionUpgrade
- LicenseModel
- Iops
- OptionGroupName
- NewDBInstanceIdentifier
- StorageType
- TdeCredentialArn
- TdeCredentialPassword
- CACertificateIdentifier
- Domain
- CopyTagsToSnapshot
- MonitoringInterval
- DBPortNumber
- PubliclyAccessible
- DomainIAMRoleName
- PromotionTier
- EnableIAMDatabaseAuthentication
- EnablePerformanceInsights
- PerformanceInsightsKMSKeyId
- PerformanceInsightsRetentionPeriod
- CloudwatchLogsExportConfiguration
- UseDefaultProcessorFeatures
- DeletionProtection
type: string
value: {}
type: object
type: array
required:
- update
resize¶
Change the allocated storage of an rds instance.
- example
This will find databases using over 85% of their allocated storage, and resize them to have an additional 30% storage the resize here is async during the next maintenance.
policies:
- name: rds-resize-up
resource: rds
filters:
- type: metrics
name: FreeStorageSpace
percent-attr: AllocatedStorage
attr-multiplier: 1073741824
value: 90
op: greater-than
actions:
- type: resize
percent: 30
This will find databases using under 20% of their allocated storage, and resize them to be 30% smaller, the resize here is configured to be immediate.
policies:
- name: rds-resize-down
resource: rds
filters:
- type: metrics
name: FreeStorageSpace
percent-attr: AllocatedStorage
attr-multiplier: 1073741824
value: 90
op: greater-than
actions:
- type: resize
percent: -30
immediate: true
properties:
immediate:
type: boolean
percent:
type: number
type:
enum:
- resize
required:
- type
retention¶
Sets the ‘BackupRetentionPeriod’ value for automated snapshots, enforce (min, max, exact) sets retention days occordingly. :example:
policies:
- name: rds-snapshot-retention
resource: rds
filters:
- type: value
key: BackupRetentionPeriod
value: 7
op: lt
actions:
- type: retention
days: 7
copy-tags: true
enforce: exact
properties:
copy-tags:
type: boolean
days:
type: number
enforce:
enum:
- min
- max
- exact
type: string
type:
enum:
- retention
required:
- type
set-public-access¶
This action allows for toggling an RDS instance ‘PubliclyAccessible’ flag to true or false
- example
policies:
- name: disable-rds-public-accessibility
resource: rds
filters:
- PubliclyAccessible: true
actions:
- type: set-public-access
state: false
properties:
state:
type: boolean
type:
enum:
- set-public-access
required:
- type
set-snapshot-copy-tags¶
Enables copying tags from rds instance to snapshot
DEPRECATED - use modify-db instead with CopyTagsToSnapshot
- example
policies: - name: enable-rds-snapshot-tags resource: rds filters: - type: value key: Engine value: aurora op: eq actions: - type: set-snapshot-copy-tags enable: True
properties:
enable:
type: boolean
type:
enum:
- set-snapshot-copy-tags
required:
- type
snapshot¶
Creates a manual snapshot of a RDS instance
- example
policies:
- name: rds-snapshot
resource: rds
actions:
- snapshot
properties:
type:
enum:
- snapshot
required:
- type
stop¶
Stop an rds instance.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_StopInstance.html
properties:
type:
enum:
- stop
required:
- type
upgrade¶
Upgrades a RDS instance to the latest major/minor version available
Use of the ‘immediate’ flag (default False) will automatically upgrade the RDS engine disregarding the existing maintenance window.
- example
policies:
- name: upgrade-rds-minor
resource: rds
actions:
- type: upgrade
major: False
immediate: False
properties:
immediate:
type: boolean
major:
type: boolean
type:
enum:
- upgrade
required:
- type