terraform 数据库实例和 ec2 安全组在不同的 vpc 中

Question

i am trying to create a vpc with public and private su.net along with Aurora mysql cluster and instance in same vpc with custom security group for RDS.

i've created vpc (public/private su.net, custom security group) in a module. also aurora-mysql in different module.

My vpc configuration in a module file

resource "aws_vpc" "main" {
    cidr_block       = "${var.vpc_cidr}"
    instance_tenancy = "${var.tenancy}"
    enable_dns_support = "true"
    enable_dns_hostnames = "true"
   tags {
      Name = "${var.tag_name}"
   }
}

resource "aws_subnet" "main-public-1" {
   vpc_id     = "${var.vpc_id}"
   cidr_block = "${var.subnet_cidr_1}"
   availability_zone = "${var.region}a"
   map_public_ip_on_launch = true
   tags {
       Name = "${var.tag_name}-subnet1"
    }
}

resource "aws_subnet" "main-private-1" {
    count      = "${var.create_private_subnet}"
    vpc_id     = "${var.vpc_id}"
    cidr_block = "${var.private_subnet_cidr_1}"
    map_public_ip_on_launch = false
    availability_zone = "${var.region}a"

   tags {
        Name = "${var.tag_name}-private-subnet1"
    }
}
resource "aws_subnet" "main-private-2" {
    count      = "${var.create_private_subnet}"
    vpc_id     = "${var.vpc_id}"
    cidr_block = "${var.private_subnet_cidr_2}"
    map_public_ip_on_launch = false
    availability_zone = "${var.region}b"

    tags {
        Name = "${var.tag_name}-private-subnet2"
    }
}

resource "aws_security_group" "aurora-sg" {
  name   = "aurora-security-group"
  vpc_id = "${var.vpc_id}"
  ingress {
    protocol    = "tcp"
    from_port   = 0
    to_port     = 65535
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    protocol    = -1
    from_port   = 0 
    to_port     = 0 
    cidr_blocks = ["0.0.0.0/0"]
  }
}

My RDS configuration in a module file

resource "aws_rds_cluster" "cluster" {
  cluster_identifier     = "${var.cluster_name}"
  engine                 = "aurora-mysql"
  database_name          = "sample_rds"
  master_username        = "${var.username}"
  master_password        = "${var.password}"
  vpc_security_group_ids = ["${aws_security_group.aurora-sg.id}"]
  skip_final_snapshot    = true
}

resource "aws_rds_cluster_instance" "cluster_instances" {
  identifier         = "${var.cluster_name}-instance"
  cluster_identifier = "${aws_rds_cluster.cluster.id}"
  instance_class     = "${var.instance_class}"
  publicly_accessible = "${var.publicly_accessible}"
  db_subnet_group_name    = 
        "${aws_db_subnet_group.aurora_subnet_group.id}"
}

resource "aws_db_subnet_group" "aurora_subnet_group" {
  name       = "tf-rds-${var.cluster_name}"
  subnet_ids = ["${var.subnets}"]

  tags {
    Name = "tf-rds-${var.cluster_name}"
  }
}

My main terraform script. i have passed variables to RDS module like vpc_id, db username and password,private su.net ids and security group id

module "aurora_mysql" {
  source      = "../modules/rds-aurora"

  vpc_id              = "${module.my_vpc.vpc_id}"
  publicly_accessible = true
  instance_class      = "db.t2.medium"
  username            = "${var.db_username}"
  password            = "${var.db_password}"
  subnets             = 
 ["${module.my_vpc.subnet_id_1[1]}","${module.my_vpc.subnet_id_1[2]}"]
  security_group_ids = "${module.my_vpc.vpc_rds_sg_id}"
}

When i try to apply the configuration vpc created successfully with su.net and security group but get the error Error creating DB Instance: InvalidParameterCombination: DB instance and EC2 security group are in different VPC

My RDS instance gets created in the default VPC even though i am passing new vpc private su.net ids and custom security group id.

Answer 1

Maybe a bit old but i had the same problem. Maybe interesting for others who have that problem. The key is the "db_subnet_group_name" in "aws_rds_cluster" or "aws_rds_cluster_instance".

From the docs:

db_subnet_group_name - (Optional) Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC...

I saw that you used the "id" instead of the "name"

db_subnet_group_name    = "${aws_db_subnet_group.aurora_subnet_group.id}"

With name:

db_subnet_group_name    = "${aws_db_subnet_group.aurora_subnet_group.name}"

Maybe that was the problem.

Answer 2

DB Subnet Group is a parameter fir the cluster ( aws_rds_cluster ), and not for the instance. In your config, you seem to be passing the subnet group in your instance config and not in your cluster config. I believe, this forces RDS to fallback to use the default subnet group, which is a group of subnets from your default VPC.

I'm not a Terrform expert, so I'll leave it up to you to figure out what needs to change in your config to model this correctly. Hope this helps!

Answer 3

I faced a similar issue. Finally, after a lot of struggle, while creating PostgreSQL DB instance, I found that we need to create a resource call subnet group name with at least two subnets and call that in an instance or cluster resource.

Here is my sample code.

resource "aws_db_subnet_group" "postgresql_subnet_group" {
    name       = "postgresubgroup"
    subnet_ids = ["${aws_subnet.postgresql_subnet1.id}",  
        "${aws_subnet.postgresql_subnet2.id}"]

    tags = {
        Name = "PostgreSQL subnet group"
    }
}

db_subnet_group_name = aws_db_subnet_group.postgresql_subnet_group.name

Answer 4

This error can be caused by vpc_id being omitted from the aws_security_group resource or being set to the wrong value.

In your case, the vpc_id is there, but it might have the wrong value. It's being set to a var.vpc_id . I'm not sure where var.vpc_id is being set, but perhaps it doesn't match the ID of your aws_vpc.main resource. One way to guarantee that the two values match is to set vpc_id = aws_vpc.main.id instead of vpc_id = "${var.vpc_id}" .

Answer 5

You need to specify the same aws_db_su.net_group_name for both aws_rds_cluster and aws_rds_cluster_instance. Your configuration is missing the db_su.net_group_name specification for aws_rds_cluster.