CODEWITHSUNDEEP
amazon-web-servicesterraformamazon-rds
Melissa Jenner
Melissa Jenner

Reputation: 851

InvalidParameterCombination: The DB instance and EC2 security group are in different VPCs

I have two VPCs. One is blue vpc (vpc_id = vpc-0067ff2ab41cc8a3e), another is shared VPC (vpc_id = vpc-076a4c26ec2217f9d). VPC peering connects these two VPCs. I provision MariaDB in the shared VPC. But, I got errors below.

Error: Error creating DB Instance: InvalidParameterCombination: The DB instance and EC2 security group are in different VPCs. The DB instance is in vpc-076a4c26ec2217f9d and the EC2 security group is in vpc-0067ff2ab41cc8a3e status code: 400, request id: 75954d06-375c-4680-b8fe-df9a67f2574d

Below is the code. Can someone help?

module "master" {
  source = "terraform-aws-modules/rds/aws"
  version = "2.20.0"
  identifier = var.master_identifier
  engine            = var.engine
  engine_version    = var.engine_version
  instance_class    = var.instance_class
  allocated_storage = var.allocated_storage
  storage_type      = var.storage_type
  storage_encrypted = var.storage_encrypted
  name     = var.mariadb_name
  username = var.mariadb_username
  password = var.mariadb_password
  port     = var.mariadb_port
  vpc_security_group_ids = [data.terraform_remote_state.vpc-shared.outputs.default_security_group_id,
                            data.terraform_remote_state.vpc-blue.outputs.default_security_group_id,
                            data.terraform_remote_state.eks-blue.outputs.worker_group_general_security_group_id,
                            data.terraform_remote_state.eks-blue.outputs.worker_group_gitea_security_group_id,
                            data.terraform_remote_state.eks-blue.outputs.all_workers_security_group_id,
                            data.terraform_remote_state.eks-blue.outputs.cluster_security_group_id]
  maintenance_window = var.maintenance_window_master
  backup_window      = var.backup_window_master
  multi_az = true
  tags = {
    Owner       = "MariaDB"
    Environment = "blue-green"
  }
  enabled_cloudwatch_logs_exports = ["audit", "general"]
  subnet_ids = data.terraform_remote_state.vpc-shared.outputs.database_subnets
  create_db_option_group = true
  apply_immediately = true
  family = var.family
  major_engine_version = var.major_engine_version
  final_snapshot_identifier = var.final_snapshot_identifier
  deletion_protection = false
  parameters = [
    {
      name  = "character_set_client"
      value = "utf8"
    },
    {
      name  = "character_set_server"
      value = "utf8"
    }
  ]
  options = [
    {
      option_name = "MARIADB_AUDIT_PLUGIN"
      option_settings = [
        {
          name  = "SERVER_AUDIT_EVENTS"
          value = "CONNECT"
        },
        {
          name  = "SERVER_AUDIT_FILE_ROTATIONS"
          value = "7"
        },
      ]
    },
  ]
}

module "replica" {
  source = "terraform-aws-modules/rds/aws"
  version = "2.20.0"
  identifier = var.replica_identifier
  replicate_source_db = module.master.this_db_instance_id
  engine            = var.engine
  engine_version    = var.engine_version
  instance_class    = var.instance_class
  allocated_storage = var.allocated_storage
  username = ""
  password = ""
  port     = var.mariadb_port
  vpc_security_group_ids = [data.terraform_remote_state.vpc-shared.outputs.default_security_group_id,
                            data.terraform_remote_state.vpc-blue.outputs.default_security_group_id,
                            data.terraform_remote_state.eks-blue.outputs.worker_group_general_security_group_id,
                            data.terraform_remote_state.eks-blue.outputs.worker_group_gitea_security_group_id,
                            data.terraform_remote_state.eks-blue.outputs.all_workers_security_group_id,
                            data.terraform_remote_state.eks-blue.outputs.cluster_security_group_id]

  maintenance_window = var.maintenance_window_replica
  backup_window      = var.backup_window_replica
  multi_az = false
  backup_retention_period = 0
  create_db_subnet_group = false
  create_db_option_group    = false
  create_db_parameter_group = false
  major_engine_version = var.major_engine_version
}

Upvotes: 2

Views: 2086

Answers (1)

Marcin
Marcin

Reputation: 238131

Normally, what you should do is to have vpc_security_group_ids from the VPC where your RDS is. In your case it would be shared vpc:

vpc_security_group_ids = [data.terraform_remote_state.vpc-shared.outputs.default_security_group_id]

Having this one SG, you would add rules to it to allow ingress traffic from other security groups. So basically, your RDS would have one SG with multiple ingress rules. The ingress rules would specify other security groups as allowed.

Upvotes: 2

Related Questions