French Jamie
French Jamie

Reputation: 243

AWS CFN "The parameter groupName cannot be used with the parameter subnet"

This is driving me mad and no matter what I try I always get the following error when creating the stack:

*The parameter groupName cannot be used with the parameter subnet*

I have triple checked security groups, subnets are in the same VPC. Any advice would be amazing, thanks

 {
    "AWSTemplateFormatVersion" : "2010-09-09",

  "Description" : "Microsoft SQL 2012 R2 Test Application Stack",

  "Parameters" : {
    "pInstanceName" : {
        "Description" : "Instance name (up to 15 characters)",
        "Type" : "String",
        "MinLength" : "1",
        "MaxLength" : "15",
        "AllowedPattern" : "[a-zA-Z0-9]+",
        "Default" : "aws2xxxxxxxxxxx"
    },
    "pInstanceType" : {
        "Description" : "EC2 instance type",
        "Type" : "String",
        "AllowedValues" : [ "t1.micro", "t2.micro", "t2.small", "t2.medium", "m1.small", "m1.medium", "m1.large", "m1.xlarge", "m2.xlarge", "m2.2xlarge", "m2.4xlarge", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge", "m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge", "m4.10xlarge", "c1.medium", "c1.xlarge", "c3.large", "c3.xlarge", "c3.2xlarge", "c3.4xlarge", "c3.8xlarge", "c4.large", "c4.xlarge", "c4.2xlarge", "c4.4xlarge", "c4.8xlarge", "g2.2xlarge", "r3.large", "r3.xlarge", "r3.2xlarge", "r3.4xlarge", "r3.8xlarge", "i2.xlarge", "i2.2xlarge", "i2.4xlarge", "i2.8xlarge", "d2.xlarge", "d2.2xlarge", "d2.4xlarge", "d2.8xlarge", "hi1.4xlarge", "hs1.8xlarge", "cr1.8xlarge", "cc2.8xlarge", "cg1.4xlarge"],
        "ConstraintDescription" : "must be a valid EC2 instance type",
        "Default" : "t2.small"
    },
    "pAmi" : {
        "Description" : "AMI required to provision instance",
        "Type" : "String",
        "Default" : "ami-55084526"
    },
    "pVolumeSize" : {
        "Description" : "Root volume size",
        "Type" : "String",
        "Default" : "60"
    },
    "pKeyPairName" : {
        "Description" : "Name of key pair to use",
        "Type" : "String",
        "Default" : "win_keys"
    },
    "pAz" : {
        "Description" : "Availability Zone of instance",
        "Type" : "String",
        "AllowedValues" : [
            "eu-west-1b",
            "eu-west-1c"
        ],
        "Default" : "eu-west-1b"
    },
    "pVpcId" : {
        "Description" : "VPC-ID",
        "Type" : "AWS::EC2::VPC::Id",
        "Default" : "vpc-7xxxx513"
    },
    "pVpcName" : {
        "Description" : "VPC of instance",
        "Type" : "String",
        "MinLength" : "3",
        "MaxLength" : "4",
        "AllowedPattern" : "^(aws)\\d",
        "Default" : "aws"
    },
    "pEnvironment" : {
        "Description" : "Environment",
        "Type" : "String",
        "Default" : "preProduction",
        "AllowedValues" : [
            "development",
            "test",
            "preProduction",
            "production"
        ],
        "ConstraintDescription" : "specify environment stack"
    },
    "pSystem" : {
        "Description" : "Application or System instance is part of",
        "Type" : "String",
        "Default" : "n/a"
    },
    "pDefaultSg" : {
        "Description" : "Default VPC Security Groups",
        "Type" : "List<AWS::EC2::SecurityGroup::Id>",
        "Default" : "sg-24xxxx41,sg-2xxxx342,sg-235bxxxx" 
    },
    "pServerRole" : {
        "Description" : "Role of the instance",
        "Type" : "String",
        "Default" : "n/a"
    },
    "pOwnerContact" : {
        "Description" : "Owner email address responsible for instance",
        "Type" : "String",
        "AllowedPattern" : "([a-zA-Z0-9]|-|\\.)+@([a-zA-Z0-9]|-|\\.)+",
        "ConstraintDescription" : "Owner email address: [email protected]",
        "Default" : "[email protected]"
    },
    "pDepartment" : {
        "Description" : "Department responsible for instance ",
        "Type" : "String",
        "Default" : "n/a"
    },
    "pProjectCode" : {
        "Description" : "Project or Cost Centre code",
        "Type" : "String",
        "MinLength" : "1",
        "MaxLength" : "30",
        "Default" : "n/a"
    },
    "pVersion" : {
        "Description" : "Version of resource",
        "Type" : "String",
        "Default" : "n/a"
    },
    "pCreationDate" : {
        "Description" : "Creation date of instance",
        "Type" : "String",
        "AllowedPattern" : "^\\d{4}(-\\d{2}){2}",
        "Default" : "2016-10-25"
    }
  },    
  "Resources" : {
    "sgTestPre" : {
        "Type" : "AWS::EC2::SecurityGroup",
            "Properties" : {
                "GroupDescription" : "Security Group for Test environments",
                "VpcId" : { "Ref" : "pVpcId" },
                "SecurityGroupIngress" : [ {
                    "IpProtocol" : "tcp",
                    "FromPort" : "3389",
                    "ToPort" : "3389",
                    "CidrIp" : "192.168.0.0/16"
                } ]
            }
    },
    "ec2Instance" : {
        "Type" : "AWS::EC2::Instance",
        "Properties" : {
            "ImageId" : { "Ref" : "pAmi" },
            "InstanceType" : { "Ref" : "pInstanceType" },
            "KeyName" : { "Ref" : "pKeyPairName" },
            "SecurityGroupIds" : [
                {"Fn::Join":
                    [",",
                        {"Ref": "pDefaultSg"}
                    ]
                },
                { "Fn::GetAtt": ["sgTestPre", "GroupId"] }
            ],
            "SubnetId" : "subnet-3xxxx948",
            "BlockDeviceMappings" : [ {
                "DeviceName" : "/dev/sda1",
                "Ebs" : { "VolumeSize" : {"Ref": "pVolumeSize"} }
            } ],
            "Tags" : [
                {
                    "Key" : "Name",
                    "Value" : { "Ref" : "pInstanceName" }
                },
                {
                    "Key" : "Environment",
                    "Value" : { "Ref" : "pEnvironment" }
                },
                {
                    "Key" : "System",
                    "Value" : { "Ref" : "pSystem" }
                },
                {
                    "Key" : "ServerRole",
                    "Value" : { "Ref" : "pServerRole" }
                },
                {
                    "Key" : "OwnerContact",
                    "Value" : { "Ref" : "pOwnerContact" }
                },
                {
                    "Key" : "Department",
                    "Value" : { "Ref" : "pDepartment" }
                },
                {
                    "Key" : "ProjectCode",
                    "Value" : { "Ref" : "pProjectCode" }
                },
                {
                    "Key" : "VpcName",
                    "Value" : { "Ref" : "pVpcName" }
                },
                {
                    "Key" : "Version",
                    "Value" : { "Ref" : "pVersion" }
                },
                {
                    "Key" : "CreationDate",
                    "Value" : { "Ref" : "pCreationDate" }
                }
            ]
        }
    }
  },
  "Outputs" : {
  }
}

Upvotes: 20

Views: 25165

Answers (5)

Akshay Patel
Akshay Patel

Reputation: 97

For non default vpcs, pass a list of security group ids instead of group names. We faced the issue suddenly breaking some of our test environments but this minor change turned out to be a quick fix.

Upvotes: 0

Kiruthika kanagarajan
Kiruthika kanagarajan

Reputation: 954

In my case I have created the resource as "SecurityGroups" instead "SecurityGroupIds",

so I got the error The parameter groupName cannot be used with the parameter subnet

so validate the resource used in your CFT

Upvotes: 4

Ben
Ben

Reputation: 57277

Although I had a different cause, this same error was given. Google brought me here, so I'll add an answer just in case.

Unlike your code snippet, I was using SecurityGroups during EC2 instance creation.

Per this answer and the docs:

SecurityGroups

[EC2-Classic, default VPC] The names of the security groups. For a nondefault VPC, you must use security group IDs instead.

So, use SecurityGroupIds instead. You can get that ID, as the other solutions state, with:

{ "Fn::GetAtt" : ["MySecurityGroupResourceName", "GroupId"] }

So, my final create block looks like:

"MyEc2Instance": {
  "Type": "AWS::EC2::Instance",
  "Properties": {
      "AvailabilityZone": "us-east-1a",
      "ImageId": "ami-04bf6dcdc9ab498ca",
      "InstanceType": "t2.micro",
      "KeyName": { "Ref": "MyKeyName" },
      "SecurityGroupIds": [{ "Fn::GetAtt" : ["MySecurityGroup", "GroupId"] }],
      "SourceDestCheck": false,
      "SubnetId": { "Ref": "MySubnet" }
    }
},

Upvotes: 27

user6118264
user6118264

Reputation:

Make sure you are referencing the actual SecurityGroup IDs and not the names; use intrinsic function Fn:GetAtt for collecting all your ids

{ "Fn::GetAtt" : ["MySecurityGroupResourceName", "GroupId"] }

When you use Ref you are going to get the name if using your default VPC, not the id. From the docs:

"...When you specify an AWS::EC2::SecurityGroup type as an argument to the Ref function, AWS CloudFormation returns the security group name or the security group ID (for EC2-VPC security groups that are not in a default VPC)...."

Upvotes: 17

Venu
Venu

Reputation: 388

Below are the modification required in cft to make it work.

Use CommaDelimitedList in parameter section rather than using list for SGs.

"pDefaultSg" : {
    "Description" : "Default VPC Security Groups",
    "Type": "CommaDelimitedList",
    "Default" : "sg-xxxxx,sg-xxxxx,sg-xxxx" 
},

In Ec2 Instance Creation, use below section to attach sgs.

"SecurityGroupIds" : [{ "Fn::Select" : [ "0", {"Ref" : "pDefaultSg"} ] },{ "Fn::Select" : [ "1", {"Ref" : "pDefaultSg"} ] },{ "Fn::Select" : [ "2", {"Ref" : "pDefaultSg"} ] },{ "Fn::GetAtt": ["sgTestPre", "GroupId"] }],

Hope this help you.

Upvotes: 2

Related Questions