DEV Community

Cover image for AWS SSM Association - Schedule Stop and Start RDS (Power of AWS SSM - EP 1)
AWS Community Builders profile image Hari Karthigasu
Hari Karthigasu for AWS Community Builders

Posted on

AWS SSM Association - Schedule Stop and Start RDS (Power of AWS SSM - EP 1)

#aws

CONTEXT

AWS RDS is an essential and high-cost service. Improving its cost efficiency will help control an AWS account's overall expenses. For non-production environments, it is advisable to shut down RDS databases outside of working hours to reduce the unnecessary costs they incur.

Usually, we utilize an event bridge scheduler to start and stop an RDS service via a Lambda function. This post shows the step-by-step Terraform code that elaborates on implementing this solution using AWS Systems Manager (SSM) Association.

SOLUTION

data "aws_iam_policy_document" "iam_ssm_policy_stop_aurora_cluster" {
  count = var.environment == "prod" ? 0 : 1

  statement {
    sid    = "StopAuroraCluster"
    effect = "Allow"
    actions = [
      "rds:StopDBCluster",
      "rds:StartDBCluster"
    ]
    resources = ["arn:aws:rds:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:cluster:${var.rds_cluster_name}]
  }

  statement {
    sid    = "DescribeAuroraClusters"
    effect = "Allow"
    actions = [
      "rds:DescribeDBClusters"
    ]
    resources = ["*"]
  }
}
Enter fullscreen mode Exit fullscreen mode 
module "iam_ssm_policy_stop_aurora_cluster" {
  count   = var.environment == "prod" ? 0 : 1
  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"

  name        = "rds-start-stop-aurora-cluster-policy"
  path        = "/"
  description = "IAM Policy to allow SSM to start and stop cluster."

  policy = data.aws_iam_policy_document.iam_ssm_policy_stop_aurora_cluster[0].json
}
Enter fullscreen mode Exit fullscreen mode 
module "iam_assumable_role_stop_aurora_cluster" {
  count   = var.environment == "prod" ? 0 : 1
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"

  create_role             = true
  create_instance_profile = false

  role_name              = "start-stop-aurora-cluster-role"
  role_requires_mfa      = false
  allow_self_assume_role = false

  trusted_role_services = [
    "ssm.amazonaws.com"
  ]

  custom_role_policy_arns = concat(
    [
      module.iam_ssm_policy_stop_aurora_cluster[0].arn,
    ]
  )
}
Enter fullscreen mode Exit fullscreen mode 
resource "aws_ssm_association" "ssm_stop_aurora_cluster_association" {
  count = var.environment == "prod" ? 0 : 1

  name                = "AWS-StartStopAuroraCluster"
  association_name    = "stop-aurora-cluster"
  schedule_expression = "cron(0 18 * * ? *)"

  parameters = {
    ClusterName          = "${var.rds_cluster_name}"
    AutomationAssumeRole = module.iam_assumable_role_stop_aurora_cluster[0].iam_role_arn
    Action               = "Stop"
  }
}
Enter fullscreen mode Exit fullscreen mode 
resource "aws_ssm_association" "ssm_start_aurora_cluster_association" {
  count = var.environment == "prod" ? 0 : 1

  name                = "AWS-StartStopAuroraCluster"
  association_name    = "start-aurora-cluster"
  schedule_expression = "cron(0 8 * * ? *)"

  parameters = {
    ClusterName          = "${var.rds_cluster_name}"
    AutomationAssumeRole = module.iam_assumable_role_stop_aurora_cluster[0].iam_role_arn
    Action               = "Start"
  }
}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.