Wai Yan Hein
Wai Yan Hein

Reputation: 14831

AWS CloudFomation: fail to create RDS resource alongside with ElasticBeanstalk

I am deploying my Laravel application to the AWS using CloudFormation. I am creating a ElasticBeanstalk resource and a RDS database resource. But my template is failing to create the RDS database resource when I tried to deploy it.

This is my template.

AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
  KeyName:
    Default: 'PatheinDirectory'
    Type: String
  InstanceType:
    Default: 't2.micro'
    Type: String
  SSHLocation:
    Description: The IP address range that can be used to SSH to the EC2 instances
    Type: String
    MinLength: '9'
    MaxLength: '18'
    Default: 0.0.0.0/0
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
    ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
  DBInstanceIdentifier:
    Type: String
  DBName:
    Type: String
  DBUsername:
    Type: String
  DBClass:
    Type: String
    Default: 'db.t2.micro'
  DBAllocatedStorage:
    Type: String
    Default: '5'
  DBPassword:
    Type: String

Mappings:
  Region2Principal:
    us-east-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-west-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-west-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-3:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-southeast-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-3:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-southeast-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-south-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-east-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ca-central-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    sa-east-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    cn-north-1:
      EC2Principal: ec2.amazonaws.com.cn
      OpsWorksPrincipal: opsworks.amazonaws.com.cn
    cn-northwest-1:
      EC2Principal: ec2.amazonaws.com.cn
      OpsWorksPrincipal: opsworks.amazonaws.com.cn
    eu-central-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-north-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com

Resources:
  WebServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for EC2 instances
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp:
            Ref: SSHLocation

  DBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Database security group
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '3306'
          ToPort: '3306'
          SourceSecurityGroupId: !Ref WebServerSecurityGroup

  WebDatabase:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: !Ref DBInstanceIdentifier
      DBName: !Ref DBName
      DBInstanceClass: !Ref DBClass
      AllocatedStorage: !Ref DBAllocatedStorage
      Engine: MySQL
      MasterUsername: !Ref DBUsername
      MasterUserPassword: !Ref DBPassword
      VPCSecurityGroups:
        - !Ref DBSecurityGroup

This is the error I got in the log.

 {
            "StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/566c9fa0-e55d-11ea-a9aa-06d4f42323aa",
            "EventId": "630d0ba0-e55d-11ea-ad8b-06dbc2ac1616",
            "StackName": "patheindirectory",
            "LogicalResourceId": "patheindirectory",
            "PhysicalResourceId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/566c9fa0-e55d-11ea-a9aa-06d4f42323aa",
            "ResourceType": "AWS::CloudFormation::Stack",
            "Timestamp": "2020-08-23T16:26:24.461000+00:00",
            "ResourceStatus": "ROLLBACK_IN_PROGRESS",
            "ResourceStatusReason": "The following resource(s) failed to create: [DBSecurityGroup]. . Rollback requested by user."
        },
        {
            "StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/566c9fa0-e55d-11ea-a9aa-06d4f42323aa",
            "EventId": "DBSecurityGroup-CREATE_FAILED-2020-08-23T16:26:23.732Z",
            "StackName": "patheindirectory",
            "LogicalResourceId": "DBSecurityGroup",
            "PhysicalResourceId": "patheindirectory-DBSecurityGroup-1CEIY8676LHK2",
            "ResourceType": "AWS::EC2::SecurityGroup",
            "Timestamp": "2020-08-23T16:26:23.732000+00:00",
            "ResourceStatus": "CREATE_FAILED",
            "ResourceStatusReason": "Invalid id: \"patheindirectory-WebServerSecurityGroup-188BHLOGKHGJ\" (expecting \"sg-...\") (Service: AmazonEC2; Status Code: 400; Error Code: InvalidGroupId.Malformed; Request ID: c2bd97d8-b31b-
4024-8bc2-6eb34cdf873e)",
            "ResourceProperties": "{\"GroupDescription\":\"Database security group\",\"SecurityGroupIngress\":[{\"FromPort\":\"3306\",\"ToPort\":\"3306\",\"IpProtocol\":\"tcp\",\"SourceSecurityGroupId\":\"patheindirectory-WebServerS
ecurityGroup-188BHLOGKHGJ\"}]}"
        },

How can I fix it?

I also tried changing to !GetAtt DBSecurityGroup.GroupId for VPCSecurityGroups of WebDatabase. I got the following error this time.

{
            "StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/6c67eb50-e5e6-11ea-add8-0236eb75a142",
            "EventId": "79c7afb0-e5e6-11ea-af24-06a6741d3858",
            "StackName": "patheindirectory",
            "LogicalResourceId": "patheindirectory",
            "PhysicalResourceId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/6c67eb50-e5e6-11ea-add8-0236eb75a142",
            "ResourceType": "AWS::CloudFormation::Stack",
            "Timestamp": "2020-08-24T08:47:43.645000+00:00",
            "ResourceStatus": "ROLLBACK_IN_PROGRESS",
            "ResourceStatusReason": "The following resource(s) failed to create: [DBSecurityGroup]. . Rollback requested by user."
        },
        {
            "StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/6c67eb50-e5e6-11ea-add8-0236eb75a142",
            "EventId": "DBSecurityGroup-CREATE_FAILED-2020-08-24T08:47:42.895Z",
            "StackName": "patheindirectory",
            "LogicalResourceId": "DBSecurityGroup",
            "PhysicalResourceId": "patheindirectory-DBSecurityGroup-182TKIWG65TDC",
            "ResourceType": "AWS::EC2::SecurityGroup",
            "Timestamp": "2020-08-24T08:47:42.895000+00:00",
            "ResourceStatus": "CREATE_FAILED",
            "ResourceStatusReason": "Invalid id: \"patheindirectory-WebServerSecurityGroup-JHXG6FOXICS3\" (expecting \"sg-...\") (Service: AmazonEC2; Status Code:
400; Error Code: InvalidGroupId.Malformed; Request ID: 1384f7a7-ee62-4b93-a291-28a460e9d1da)",
            "ResourceProperties": "{\"GroupDescription\":\"Database security group\",\"SecurityGroupIngress\":[{\"FromPort\":\"3306\",\"ToPort\":\"3306\",\"IpProto
col\":\"tcp\",\"SourceSecurityGroupId\":\"patheindirectory-WebServerSecurityGroup-JHXG6FOXICS3\"}]}"
        },

Upvotes: 1

Views: 90

Answers (1)

Chris Williams
Chris Williams

Reputation: 35258

You're referencing the logical id of the security groups (which is its name).

The parameters for both SourceSecurityGroupId and VPCSecurityGroups are expecting security group IDs instead.

To do this you would need to use the GroupId attribute of the security groups instead as shown in the below updated template.

AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
  KeyName:
    Default: 'PatheinDirectory'
    Type: String
  InstanceType:
    Default: 't2.micro'
    Type: String
  SSHLocation:
    Description: The IP address range that can be used to SSH to the EC2 instances
    Type: String
    MinLength: '9'
    MaxLength: '18'
    Default: 0.0.0.0/0
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
    ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
  DBInstanceIdentifier:
    Type: String
  DBName:
    Type: String
  DBUsername:
    Type: String
  DBClass:
    Type: String
    Default: 'db.t2.micro'
  DBAllocatedStorage:
    Type: String
    Default: '5'
  DBPassword:
    Type: String

Mappings:
  Region2Principal:
    us-east-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-west-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-west-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-3:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-southeast-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-3:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-southeast-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-south-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-east-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ca-central-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    sa-east-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    cn-north-1:
      EC2Principal: ec2.amazonaws.com.cn
      OpsWorksPrincipal: opsworks.amazonaws.com.cn
    cn-northwest-1:
      EC2Principal: ec2.amazonaws.com.cn
      OpsWorksPrincipal: opsworks.amazonaws.com.cn
    eu-central-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-north-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com

Resources:
  WebServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for EC2 instances
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp:
            Ref: SSHLocation

  DBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Database security group
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '3306'
          ToPort: '3306'
          SourceSecurityGroupId: !GetAtt WebServerSecurityGroup.GroupId

  WebDatabase:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: !Ref DBInstanceIdentifier
      DBName: !Ref DBName
      DBInstanceClass: !Ref DBClass
      AllocatedStorage: !Ref DBAllocatedStorage
      Engine: MySQL
      MasterUsername: !Ref DBUsername
      MasterUserPassword: !Ref DBPassword
      VPCSecurityGroups:
        - !GetAtt DBSecurityGroup.GroupId

Also as a suggestion for your templates, for certain parameters (such as the key name) you can use AWS Specific Parameter Types. Additionally for secure information such as passwords use the NoEcho attribute in the parameter.

Upvotes: 1

Related Questions