Reputation: 14831
I am deploying my Laravel application to the AWS using CloudFormation. I am creating a ElasticBeanstalk resource and a RDS database resource. But my template is failing to create the RDS database resource when I tried to deploy it.
This is my template.
AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
KeyName:
Default: 'PatheinDirectory'
Type: String
InstanceType:
Default: 't2.micro'
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
DBInstanceIdentifier:
Type: String
DBName:
Type: String
DBUsername:
Type: String
DBClass:
Type: String
Default: 'db.t2.micro'
DBAllocatedStorage:
Type: String
Default: '5'
DBPassword:
Type: String
Mappings:
Region2Principal:
us-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-south-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-east-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ca-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
sa-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
cn-north-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
cn-northwest-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
eu-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-north-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
DBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Database security group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '3306'
ToPort: '3306'
SourceSecurityGroupId: !Ref WebServerSecurityGroup
WebDatabase:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: !Ref DBInstanceIdentifier
DBName: !Ref DBName
DBInstanceClass: !Ref DBClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
VPCSecurityGroups:
- !Ref DBSecurityGroup
This is the error I got in the log.
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/566c9fa0-e55d-11ea-a9aa-06d4f42323aa",
"EventId": "630d0ba0-e55d-11ea-ad8b-06dbc2ac1616",
"StackName": "patheindirectory",
"LogicalResourceId": "patheindirectory",
"PhysicalResourceId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/566c9fa0-e55d-11ea-a9aa-06d4f42323aa",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2020-08-23T16:26:24.461000+00:00",
"ResourceStatus": "ROLLBACK_IN_PROGRESS",
"ResourceStatusReason": "The following resource(s) failed to create: [DBSecurityGroup]. . Rollback requested by user."
},
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/566c9fa0-e55d-11ea-a9aa-06d4f42323aa",
"EventId": "DBSecurityGroup-CREATE_FAILED-2020-08-23T16:26:23.732Z",
"StackName": "patheindirectory",
"LogicalResourceId": "DBSecurityGroup",
"PhysicalResourceId": "patheindirectory-DBSecurityGroup-1CEIY8676LHK2",
"ResourceType": "AWS::EC2::SecurityGroup",
"Timestamp": "2020-08-23T16:26:23.732000+00:00",
"ResourceStatus": "CREATE_FAILED",
"ResourceStatusReason": "Invalid id: \"patheindirectory-WebServerSecurityGroup-188BHLOGKHGJ\" (expecting \"sg-...\") (Service: AmazonEC2; Status Code: 400; Error Code: InvalidGroupId.Malformed; Request ID: c2bd97d8-b31b-
4024-8bc2-6eb34cdf873e)",
"ResourceProperties": "{\"GroupDescription\":\"Database security group\",\"SecurityGroupIngress\":[{\"FromPort\":\"3306\",\"ToPort\":\"3306\",\"IpProtocol\":\"tcp\",\"SourceSecurityGroupId\":\"patheindirectory-WebServerS
ecurityGroup-188BHLOGKHGJ\"}]}"
},
How can I fix it?
I also tried changing to !GetAtt DBSecurityGroup.GroupId for VPCSecurityGroups of WebDatabase. I got the following error this time.
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/6c67eb50-e5e6-11ea-add8-0236eb75a142",
"EventId": "79c7afb0-e5e6-11ea-af24-06a6741d3858",
"StackName": "patheindirectory",
"LogicalResourceId": "patheindirectory",
"PhysicalResourceId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/6c67eb50-e5e6-11ea-add8-0236eb75a142",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2020-08-24T08:47:43.645000+00:00",
"ResourceStatus": "ROLLBACK_IN_PROGRESS",
"ResourceStatusReason": "The following resource(s) failed to create: [DBSecurityGroup]. . Rollback requested by user."
},
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/6c67eb50-e5e6-11ea-add8-0236eb75a142",
"EventId": "DBSecurityGroup-CREATE_FAILED-2020-08-24T08:47:42.895Z",
"StackName": "patheindirectory",
"LogicalResourceId": "DBSecurityGroup",
"PhysicalResourceId": "patheindirectory-DBSecurityGroup-182TKIWG65TDC",
"ResourceType": "AWS::EC2::SecurityGroup",
"Timestamp": "2020-08-24T08:47:42.895000+00:00",
"ResourceStatus": "CREATE_FAILED",
"ResourceStatusReason": "Invalid id: \"patheindirectory-WebServerSecurityGroup-JHXG6FOXICS3\" (expecting \"sg-...\") (Service: AmazonEC2; Status Code:
400; Error Code: InvalidGroupId.Malformed; Request ID: 1384f7a7-ee62-4b93-a291-28a460e9d1da)",
"ResourceProperties": "{\"GroupDescription\":\"Database security group\",\"SecurityGroupIngress\":[{\"FromPort\":\"3306\",\"ToPort\":\"3306\",\"IpProto
col\":\"tcp\",\"SourceSecurityGroupId\":\"patheindirectory-WebServerSecurityGroup-JHXG6FOXICS3\"}]}"
},
Upvotes: 1
Views: 90
Reputation: 35258
You're referencing the logical id of the security groups (which is its name).
The parameters for both SourceSecurityGroupId
and VPCSecurityGroups
are expecting security group IDs instead.
To do this you would need to use the GroupId
attribute of the security groups instead as shown in the below updated template.
AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
KeyName:
Default: 'PatheinDirectory'
Type: String
InstanceType:
Default: 't2.micro'
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
DBInstanceIdentifier:
Type: String
DBName:
Type: String
DBUsername:
Type: String
DBClass:
Type: String
Default: 'db.t2.micro'
DBAllocatedStorage:
Type: String
Default: '5'
DBPassword:
Type: String
Mappings:
Region2Principal:
us-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-south-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-east-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ca-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
sa-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
cn-north-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
cn-northwest-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
eu-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-north-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
DBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Database security group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '3306'
ToPort: '3306'
SourceSecurityGroupId: !GetAtt WebServerSecurityGroup.GroupId
WebDatabase:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: !Ref DBInstanceIdentifier
DBName: !Ref DBName
DBInstanceClass: !Ref DBClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
VPCSecurityGroups:
- !GetAtt DBSecurityGroup.GroupId
Also as a suggestion for your templates, for certain parameters (such as the key name) you can use AWS Specific Parameter Types. Additionally for secure information such as passwords use the NoEcho
attribute in the parameter.
Upvotes: 1