Wai Yan Hein
Reputation: 14831
AWS CloudFomation: fail to create RDS resource alongside with ElasticBeanstalk
I am deploying my Laravel application to the AWS using CloudFormation. I am creating a ElasticBeanstalk resource and a RDS database resource. But my template is failing to create the RDS database resource when I tried to deploy it.
This is my template.
AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
KeyName:
Default: 'PatheinDirectory'
Type: String
InstanceType:
Default: 't2.micro'
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
DBInstanceIdentifier:
Type: String
DBName:
Type: String
DBUsername:
Type: String
DBClass:
Type: String
Default: 'db.t2.micro'
DBAllocatedStorage:
Type: String
Default: '5'
DBPassword:
Type: String
Mappings:
Region2Principal:
us-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-south-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-east-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ca-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
sa-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
cn-north-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
cn-northwest-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
eu-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-north-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
DBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Database security group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '3306'
ToPort: '3306'
SourceSecurityGroupId: !Ref WebServerSecurityGroup
WebDatabase:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: !Ref DBInstanceIdentifier
DBName: !Ref DBName
DBInstanceClass: !Ref DBClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
VPCSecurityGroups:
- !Ref DBSecurityGroup
This is the error I got in the log.
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/566c9fa0-e55d-11ea-a9aa-06d4f42323aa",
"EventId": "630d0ba0-e55d-11ea-ad8b-06dbc2ac1616",
"StackName": "patheindirectory",
"LogicalResourceId": "patheindirectory",
"PhysicalResourceId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/566c9fa0-e55d-11ea-a9aa-06d4f42323aa",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2020-08-23T16:26:24.461000+00:00",
"ResourceStatus": "ROLLBACK_IN_PROGRESS",
"ResourceStatusReason": "The following resource(s) failed to create: [DBSecurityGroup]. . Rollback requested by user."
},
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/566c9fa0-e55d-11ea-a9aa-06d4f42323aa",
"EventId": "DBSecurityGroup-CREATE_FAILED-2020-08-23T16:26:23.732Z",
"StackName": "patheindirectory",
"LogicalResourceId": "DBSecurityGroup",
"PhysicalResourceId": "patheindirectory-DBSecurityGroup-1CEIY8676LHK2",
"ResourceType": "AWS::EC2::SecurityGroup",
"Timestamp": "2020-08-23T16:26:23.732000+00:00",
"ResourceStatus": "CREATE_FAILED",
"ResourceStatusReason": "Invalid id: \"patheindirectory-WebServerSecurityGroup-188BHLOGKHGJ\" (expecting \"sg-...\") (Service: AmazonEC2; Status Code: 400; Error Code: InvalidGroupId.Malformed; Request ID: c2bd97d8-b31b-
4024-8bc2-6eb34cdf873e)",
"ResourceProperties": "{\"GroupDescription\":\"Database security group\",\"SecurityGroupIngress\":[{\"FromPort\":\"3306\",\"ToPort\":\"3306\",\"IpProtocol\":\"tcp\",\"SourceSecurityGroupId\":\"patheindirectory-WebServerS
ecurityGroup-188BHLOGKHGJ\"}]}"
},
How can I fix it?
I also tried changing to !GetAtt DBSecurityGroup.GroupId for VPCSecurityGroups of WebDatabase. I got the following error this time.
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/6c67eb50-e5e6-11ea-add8-0236eb75a142",
"EventId": "79c7afb0-e5e6-11ea-af24-06a6741d3858",
"StackName": "patheindirectory",
"LogicalResourceId": "patheindirectory",
"PhysicalResourceId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/6c67eb50-e5e6-11ea-add8-0236eb75a142",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2020-08-24T08:47:43.645000+00:00",
"ResourceStatus": "ROLLBACK_IN_PROGRESS",
"ResourceStatusReason": "The following resource(s) failed to create: [DBSecurityGroup]. . Rollback requested by user."
},
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/6c67eb50-e5e6-11ea-add8-0236eb75a142",
"EventId": "DBSecurityGroup-CREATE_FAILED-2020-08-24T08:47:42.895Z",
"StackName": "patheindirectory",
"LogicalResourceId": "DBSecurityGroup",
"PhysicalResourceId": "patheindirectory-DBSecurityGroup-182TKIWG65TDC",
"ResourceType": "AWS::EC2::SecurityGroup",
"Timestamp": "2020-08-24T08:47:42.895000+00:00",
"ResourceStatus": "CREATE_FAILED",
"ResourceStatusReason": "Invalid id: \"patheindirectory-WebServerSecurityGroup-JHXG6FOXICS3\" (expecting \"sg-...\") (Service: AmazonEC2; Status Code:
400; Error Code: InvalidGroupId.Malformed; Request ID: 1384f7a7-ee62-4b93-a291-28a460e9d1da)",
"ResourceProperties": "{\"GroupDescription\":\"Database security group\",\"SecurityGroupIngress\":[{\"FromPort\":\"3306\",\"ToPort\":\"3306\",\"IpProto
col\":\"tcp\",\"SourceSecurityGroupId\":\"patheindirectory-WebServerSecurityGroup-JHXG6FOXICS3\"}]}"
},
Upvotes: 1
Views: 90
Answers (1)
Chris Williams
Reputation: 35258
You're referencing the logical id of the security groups (which is its name).
The parameters for both SourceSecurityGroupId and VPCSecurityGroups are expecting security group IDs instead.
To do this you would need to use the GroupId attribute of the security groups instead as shown in the below updated template.
AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
KeyName:
Default: 'PatheinDirectory'
Type: String
InstanceType:
Default: 't2.micro'
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
DBInstanceIdentifier:
Type: String
DBName:
Type: String
DBUsername:
Type: String
DBClass:
Type: String
Default: 'db.t2.micro'
DBAllocatedStorage:
Type: String
Default: '5'
DBPassword:
Type: String
Mappings:
Region2Principal:
us-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-south-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-east-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ca-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
sa-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
cn-north-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
cn-northwest-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
eu-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-north-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
DBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Database security group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '3306'
ToPort: '3306'
SourceSecurityGroupId: !GetAtt WebServerSecurityGroup.GroupId
WebDatabase:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: !Ref DBInstanceIdentifier
DBName: !Ref DBName
DBInstanceClass: !Ref DBClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
VPCSecurityGroups:
- !GetAtt DBSecurityGroup.GroupId
Also as a suggestion for your templates, for certain parameters (such as the key name) you can use AWS Specific Parameter Types. Additionally for secure information such as passwords use the NoEcho attribute in the parameter.
Upvotes: 1
Related Questions
- AWS CloudFormation RDS Instance fails to create - cannot find DBCluster
- RDS does not support creating a DB instance with the following combination
- AWS::RDS::DBInstance is not being created from cloudformation
- How to create AWS Elasticbeanstalk application with integrated RDS using CloudFormation?
- AWS CloudFormation: unable to create RDS database because database security group cannot reference the web server's security group
- AWS CloudFormation: unable to create RDS resource with VPC assigned
- AWS - Cloud formation RDS resource creation error - DBInstance did not stabilize
- AWS CloudFormation: Unable to find existing SG to assign to RDS instance
- Cannot create ECS Service via CloudFormation
- Issue with creating a Postgres RDS in Cloudformation Template