Documentation Index
Fetch the complete documentation index at: https://mintlify.com/aws-samples/legacy-cycle-store-mvc-app/llms.txt
Use this file to discover all available pages before exploring further.
The SqlServerRDSFixedUidPwd.yaml CloudFormation template provisions the complete AWS infrastructure required to run the Legacy Cycle Store database tier. It creates a SQL Server Express RDS instance, the associated security group, an IAM role for S3-backed native backups, an RDS option group enabling the backup/restore feature, and a Secrets Manager secret that stores the database credentials. Deploying this single template gives you a repeatable, version-controlled database environment that can be torn down and recreated in minutes.
Parameters
The identifier used for the RDS DB instance. Must start with a letter and contain only alphanumeric characters. Minimum length is 1 character; maximum is 63 characters. The pattern enforced by CloudFormation is [a-zA-Z][a-zA-Z0-9]*.This value appears in the RDS console, in the generated endpoint hostname, and in CloudWatch log group names, so choose a name that clearly identifies the environment (e.g., SqlRdsDBDev, SqlRdsDBProd).
Resources
CycleStoreCreds
Type: AWS::SecretsManager::Secret
Stores the RDS master credentials as a JSON secret so that application code and automation scripts can retrieve them without embedding plaintext passwords in configuration files or source control.
| Property | Value |
|---|
| Name | CycleStoreCredentials |
| SecretString username | DBUser |
| SecretString password | DBU$er2020 |
The password DBU$er2020 is a static default included for sample purposes only. You must rotate this credential and update the secret value before deploying to any environment accessible from the internet. Use the AWS Secrets Manager console or the aws secretsmanager put-secret-value CLI command to set a strong, unique password after stack creation.
RdsS3FullAccessRole
Type: AWS::IAM::Role
Creates an IAM role that the RDS service assumes in order to read from and write to S3 during native SQL Server backup and restore operations. This role is referenced by the OptionGroup resource via its ARN.
| Property | Value |
|---|
| RoleName | RDS-Sqlex--S3-FullAccess |
| Trusted Principal | rds.amazonaws.com |
| Managed Policy | AmazonS3FullAccess (s3:* on *) |
The AmazonS3FullAccess policy grants read and write access to every S3 bucket in your account. This is intentionally broad for a sample application. For a production deployment, replace this with a custom policy that restricts access to a single backup bucket and limits actions to s3:GetObject, s3:PutObject, s3:ListBucket, and s3:DeleteObject.
SQLServerSecurityGroup
Type: AWS::EC2::SecurityGroup
Defines the VPC security group attached to the RDS instance. It contains a single inbound rule allowing TCP traffic on port 1433, the default SQL Server port.
| Property | Value |
|---|
| Protocol | TCP |
| Port | 1433 |
| Source CIDR | 0.0.0.0/0 |
Opening TCP 1433 to 0.0.0.0/0 exposes your SQL Server instance to the entire internet. This setting is included only to simplify first-run connectivity in a development environment. Before deploying to production, restrict the inbound source to your specific IP address (x.x.x.x/32) or to the CIDR block of your VPC so that only known hosts can reach the database port.
OptionGroup
Type: AWS::RDS::OptionGroup
Configures a SQL Server-specific option group that enables the SQLSERVER_BACKUP_RESTORE feature. This feature allows SQL Server to natively back up and restore .bak files directly to and from an S3 bucket, which is the primary mechanism for migrating existing databases onto the RDS instance.
| Property | Value |
|---|
| EngineName | sqlserver-ex |
| MajorEngineVersion | 14.00 |
| Option Name | SQLSERVER_BACKUP_RESTORE |
| IAM_ROLE_ARN | ARN of RdsS3FullAccessRole |
IAM_ROLE_ARN setting links the option group to the IAM role created above, granting RDS the permissions it needs to communicate with S3 on behalf of native backup/restore commands.
SQLDatabase
Type: AWS::RDS::DBInstance
The core RDS resource — a single-AZ SQL Server Express 2017 instance sized for development and light testing workloads.
| Property | Value |
|---|
| DBInstanceIdentifier | Value of SqlServerInstanceName parameter |
| Engine | sqlserver-ex |
| EngineVersion | 14.00.3281.6.v1 |
| DBInstanceClass | db.t2.micro |
| AllocatedStorage | 20 GB |
| MultiAZ | false |
| PubliclyAccessible | true |
| BackupRetentionPeriod | 1 day |
| OptionGroupName | Ref to OptionGroup |
| VPCSecurityGroups | Ref to SQLServerSecurityGroup |
| DependsOn | SQLServerSecurityGroup |
db.t2.micro instance class qualifies for the AWS Free Tier. SQL Server Express edition is limited to 1 vCPU, 1 GB RAM, and a maximum database size of 10 GB. BackupRetentionPeriod: 1 retains one day of automated snapshots, which is the minimum non-zero value. Increase this value for any environment where data durability matters.
Outputs
| Output | Description |
|---|
SQLDatabaseEndpoint | The RDS endpoint address and port in the form hostname.region.rds.amazonaws.com:1433. Use this value as the data source in the CYCLE_STOREEntities connection string in Web.config. |
Deployment Commands
Deploy the stack using the AWS CLI. Replace the parameter values with your target AWS account details.
aws cloudformation create-stack \
--stack-name cycle-store-rds \
--template-body file://SqlServerRDSFixedUidPwd.yaml \
--parameters ParameterKey=SqlServerInstanceName,ParameterValue=SqlRdsDB \
--capabilities CAPABILITY_NAMED_IAM \
--region us-east-1
--capabilities CAPABILITY_NAMED_IAM flag is required because the template creates an IAM role with an explicit RoleName. CloudFormation refuses to create named IAM resources without this acknowledgement.
To monitor stack creation progress:
aws cloudformation describe-stacks \
--stack-name cycle-store-rds \
--query "Stacks[0].StackStatus" \
--region us-east-1
CREATE_COMPLETE, retrieve the database endpoint from the stack outputs:
aws cloudformation describe-stacks \
--stack-name cycle-store-rds \
--query "Stacks[0].Outputs[?OutputKey=='SQLDatabaseEndpoint'].OutputValue" \
--output text \
--region us-east-1
data source field of the CYCLE_STOREEntities connection string in Web.config.