CODEWITHSUNDEEP
amazon-web-servicesaws-cloudformationamazon-rds
Connor
Connor

Reputation: 1094

How do I stop my AWS Security Group being invalid?

I'm trying to create an AWS RDS instance that's connected to by an EC2 instance. I have two security groups and one RDS instance, which I'm creating using Cloud Formation. You can see my .yaml file below:

AWSTemplateFormatVersion: 2010-09-09
Description: template v2
Resources:
  MyEC2Instance:
    Type: "AWS::EC2::Instance"
    Properties:
      ImageId: ami-05d929ac8893c382f
      InstanceType: t2.micro
      SecurityGroupIds:
        - !Ref InstanceSecurityGroup

  MyDBInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: mydbinstance
      AllocatedStorage: 20
      DBInstanceClass: db.t3.micro
      Engine: mariadb
      MasterUsername: admin
      MasterUserPassword: password
      DBSubnetGroupName: !Ref MyDBSubnetGroup
      VPCSecurityGroups:
        - !Ref DatabaseSecurityGroup
      PubliclyAccessible: false

  InstanceSecurityGroup:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: "Enable access from the public internet."
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0

  DatabaseSecurityGroup:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: "Enable access from the EC2 instance."
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !GetAtt InstanceSecurityGroup.GroupId

  MyDBSubnetGroup:
    Type: AWS::RDS::DBSubnetGroup
    Properties:
      DBSubnetGroupDescription: "Subnet group for RDS instance"
      SubnetIds:
        - subnet-2
        - subnet-1

I've validated this template in the application composer and get no errors. But when I try and create the stack I get the following error:

Resource handler returned message: "Invalid security group , groupId= test-9-databasesecuritygroup-4rosfigqstws, groupName=. (Service: Rds, Status Code: 400, Request ID: ...)

I've looked around online and heard it could be subnets. So, I've tried adding subnets attached to my local VPC, but that hasn't fixed the issue. How do I resolve this? Is it still a problem with subnets, or is there something wrong with my security group?

Upvotes: 1

Views: 444

Answers (1)

Connor
Connor

Reputation: 1094

The issue is in the MyDBInstance. I had a reference to the Database security group: !Ref DatabaseSecurityGroup. But this returns the name of the group, not the ID, which is what's required.

To fix this I changed the instance from:

MyDBInstance:
  Type: AWS::RDS::DBInstance
  Properties:
    DBInstanceIdentifier: mydbinstance
    AllocatedStorage: 20
    DBInstanceClass: db.t3.micro
    Engine: mariadb
    MasterUsername: admin
    MasterUserPassword: password
    DBSubnetGroupName: !Ref MyDBSubnetGroup
    VPCSecurityGroups:
      - !Ref DatabaseSecurityGroup
    PubliclyAccessible: false

To:

MyDBInstance:
  Type: AWS::RDS::DBInstance
  Properties:
    DBInstanceIdentifier: mydbinstance
    AllocatedStorage: 20
    DBInstanceClass: db.t3.micro
    Engine: mariadb
    MasterUsername: admin
    MasterUserPassword: password
    DBSubnetGroupName: !Ref MyDBSubnetGroup
    VPCSecurityGroups:
      - !GetAtt DatabaseSecurityGroup.GroupId
    PubliclyAccessible: false

After this change the stack built correctly.

Upvotes: 1

Related Questions