Elastic Beanstalk: Migrate DB Security Group to VPC Security Group

Question

When trying to deploy my application, I recently got the following error:

ERROR: Service:AmazonCloudFormation, Message:Stack named
'awseb-e-123-stack' aborted operation. Current state: 'UPDATE_ROLLBACK_IN_PROGRESS'
Reason: The following resource(s) failed to update: [AWSEBRDSDatabase]. 
ERROR: Updating RDS database named: abcdefg12345 failed
Reason: DB Security Groups can no longer be associated
with this DB Instance.  Use VPC Security Groups instead.
ERROR: Failed to deploy application.                                

How do you switch over a DB Security Group to a VPC Security Group? Steps for using the Elastic Beanstalk Console would be greatly appreciated.

Answer 1

For anyone arriving via Google, here's how you do it via CloudFormation: The official docs contains an example, at the very bottom https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html#Overview.RDSSecurityGroups.DeleteDBVPCGroups

SecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
  VpcId: <vpc_id>
  GroupDescription: Explain your SG
  SecurityGroupIngress:
    - Description: Ingress description
      CidrIp: 10.214.0.0/16
      IpProtocol: tcp
      FromPort: 3306
      ToPort: 3306
RDSDb:
Type: 'AWS::RDS::DBInstance'
Properties:
  VPCSecurityGroups:
    - Fn::GetAtt:
        - SecurityGroup
        - GroupId

Answer 2

Had the same issue but was able to fix it by doing the following

1. Created a RDS db instance from the RDS console
2. Created a snapshot of the instance
3. From Elastic Beanstalk console under configuration/database, create the RDS db using the instance
4. Once the new RDS db instance was created by EBS, inn configuration/software add db environment properties

I hope it helps you resolve this issue.