Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

`Invalid security group` shown when tried to create an SG and RDS by CloudFormation

Tags:

amazon-web-services

amazon-cloudformation

I made following simple CloudFormation template. It tries to create one security group and one RDS, with RDS using the created security group as its security group config.

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  TestDBMasterUserPassword:
    Type: String
    NoEcho: true
Resources:
  TestDB:
    Type: 'AWS::RDS::DBInstance'
    Properties:
      Engine: mysql
      DBInstanceClass: db.t2.micro
      AllocatedStorage: 20
      MasterUsername: root
      MasterUserPassword: !Ref TestDBMasterUserPassword
      VPCSecurityGroups:
        - !Ref TestDBSecurityGroup
  TestDBSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Security Group for TestDB

Creating a stack from this template results in an error, as shown below:

16:58:43 UTC+0900   CREATE_FAILED   AWS::RDS::DBInstance    TestDB  Invalid security group , groupId= inoue-test-stack-testdbsecuritygroup-10t6gvze4gs5k, groupName=. (Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterValue; Request ID: 16c7e4c5-9201-4dc7-b5b4-8f536c6b807d)

I can't figure out why such error occurs..

Question:

  • What's wrong with this simple cloud formation template?
    • How can I create an specified security group and assign it to RDS on CloudFormation?
like image 849
Yuki Inoue Avatar asked May 29 '18 08:05

Yuki Inoue

People also ask

How do I create a security group in CloudFormation?

To create a security group, use the VpcId property to specify the VPC for which to create the security group. This type supports updates. For more information about updating stacks, see AWS CloudFormation Stacks Updates.

How do I add a security group to RDS?

Create a new security group (as your have done), then go to the RDS console, click on your database, then choose Instance actions -> Modify and modify the security groups that are associated with the DB instance (add the new security group, remove the default security group)

What are some of the common causes why you Cannot connect to a DB instance on AWS?

When you can't connect to a DB instance, the following are common causes: Inbound rules – The access rules enforced by your local firewall and the IP addresses authorized to access your DB instance might not match. The problem is most likely the inbound rules in your security group.

1 Answers

When you do !Ref AWS::EC2::SecurityGroup in the VPCSecurityGroups property, this returns the name of the security group and not the ID, which is what the VPCSecurityGroups property requires. Try using - Fn::GetAtt: [ TestDBSecurityGroup, GroupId ] instead.

like image 136
John Nicely Avatar answered Oct 18 '22 01:10

John Nicely
Sign in to Comment

Related questions

AWS Lambda access to RDS outside VPC
How to save Amazon Redshift output to local CSV through SQL Workbench?
How do I use Gmail SMTP with port 587 on AWS EC2?
Aws glue triggers are not working
CodeDeploy can't find my AWS Lambda Function
Websocket closing after 60 seconds of being idle while connection node server using AWS ELB
Cloudformation error: route table X and network gateway Y belong to different networks
Terraform not uploading Lambda code zip file to AWS
AWS ElastiCache for Redis Engine CPU Utilization metrics, how to interpret?
Define Module Dependencies in Terraform
What is the reason for 'Query condition missed key schema element' in AWS DynamoDb?
How to use aws cloudwatch get-metric-widget-image?
Install .NET Core in Amazon Linux 2 using yum
Amazon.Runtime.AmazonServiceException: Unable to find credentials
AWS Lambda function firing twice
Missing SPARK_HOME when using SparkLauncher on AWS EMR cluster
Cannot setup CodeCommit in EB CLI
How to set up different domains based on stage with serverless-domain-manager plugin?
AWS CLI S3API find newest folder in path
Serving a multitude of static sites from a wildcard domain in AWS

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!