CODEWITHSUNDEEP
amazon-web-servicesaws-cloudformationamazon-aurora
Tyler B. Joudrey
Tyler B. Joudrey

Reputation: 491

Unable to create an aurora RDS DB cluster due to disparate security groups

I have been attempting to set up a cloud formation script to create a VPC hosting fragate containers and a aurora DB. When attempting to deploy my aurora script I receive the following.

The DB instance and EC2 security group are in different VPCs. The DB instance is in vpc-f0ec9d98 and the EC2 security group is in vpc-01c5e9bcdb87dc39c (Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterCombination; Request ID: 7aa14530-d73c-4b27-a6d6-fcc8aea61d93)

I do not understand why this is the case as I am using the same security group created by my VPC script, my aurora script is as follows

Aurora

Description: Set up a serverles PostgreSQL cluster with a bastion host (using Aurora)

Parameters: 
    DatabaseName:
            Type: String
    EngineVersion:
            Type: String
            Default: 11.4
    MasterUsername:
            Type: String
            Default: root
    MasterUserPassword:
            Type: String
            Default: root
            NoEcho: true
    VpcId:
            Type: AWS::EC2::VPC::Id
    VpcSecurityGroupId:
            Type: AWS::EC2::SecurityGroup::Id
    BastionImageId:
            Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
            Default: /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-ebs
    BastionKeyName:
            Type: AWS::EC2::KeyPair::KeyName
            Description: EC2 key used to connect to the bastion host
    DeletionProtection:
            Type: String
            Default: false
            AllowedValues:
            - true
            - false

Resources:
    Cluster:
            Type: AWS::RDS::DBCluster
            Properties:
                    Engine: aurora-postgresql
                    EngineVersion: !Ref EngineVersion
                    DatabaseName: !Ref DatabaseName
                    MasterUsername: !Ref MasterUsername
                    MasterUserPassword: !Ref MasterUserPassword
                    DBClusterIdentifier: !Ref AWS::StackName
                    BackupRetentionPeriod: 35
                    DeletionProtection: !Ref DeletionProtection
                    VpcSecurityGroupIds:
                    - !Ref VpcSecurityGroupId
    BastionSecurityGroup:
            Type: AWS::EC2::SecurityGroup
            Properties:
                    GroupDescription: !Sub Bastion for ${AWS::StackName}
                    SecurityGroupEgress:
                    - CidrIp: 0.0.0.0/0
                      FromPort: -1
                      ToPort: -1
                      IpProtocol: -1
                    - DestinationSecurityGroupId: !Ref VpcSecurityGroupId
                      IpProtocol: tcp
                      FromPort: 3306
                      ToPort: 3306
                    SecurityGroupIngress: []
                    VpcId: !Ref VpcId
    Bastion: 
            Type: AWS::EC2::Instance
            Properties: 
                    DisableApiTermination: true
                    ImageId: !Ref BastionImageId
                    InstanceType: t2.nano
                    KeyName: !Ref BastionKeyName
                    Monitoring: false
                    SecurityGroupIds:
                    - !Ref VpcSecurityGroupId
                    - !Ref BastionSecurityGroup
                    UserData: !Base64 'yum install postgresql --assumeyes' # if this script does not work this line  broke it 
Outputs:
    Host: 
            Value: !GetAtt Cluster.Endpoint.Address
            Export:
                    Name: !Sub ${AWS::StackName}Host
    Name:
            Value: !Ref DatabaseName
            Export:
                    Name: !Sub ${AWS::StackName}Name
    BastionHost:
            Value: !GetAtt Bastion.PublicDnsName
            Export:
                    Name: !Sub ${AWS::StackName}BastionHost
    BastionIp:
            Value: !GetAtt Bastion.PublicIp
            Export:
                    Name: !Sub ${AWS::StackName}BastionIp
    BastionSecurityGroupId:
            Value: !GetAtt BastionSecurityGroup.GroupId
            Export:
                    Name: !Sub ${AWS::StackName}BastionSecurityGroupId

Upvotes: 1

Views: 665

Answers (1)

Patrick
Patrick

Reputation: 773

Without the inclusion of the DBSubnetGroupName property in the AWS::RDS::DBCluster resource, it looks like CloudFormation is attempting to launch the cluster in the default VPC. A DB subnet group allows you to specify a particular VPC when you create DB instances.

Try adding this property and referencing an associated subnet parameter/resource and the issue should be resolved.

Information about creating RDS instances within a VPC can be found in the RDS User Guide.

Upvotes: 3

Related Questions