AWS CloudFormation:无法创建 RDS 数据库,因为数据库安全组无法引用 web 服务器的安全组
[英]AWS CloudFormation: unable to create RDS database because database security group cannot reference the web server's security group
问题描述
I am building my infrastructure using AWS CloudFormation.
我正在使用 AWS CloudFormation 构建我的基础设施。 I am creating a RDS database resource with a security group that is referencing another security group which is attached to the webserver.我正在创建一个 RDS 数据库资源,其中包含一个安全组,该安全组引用附加到 Web 服务器的另一个安全组。 But it is failing when I deployed the template.但是当我部署模板时它失败了。
This is my template.这是我的模板。
AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
KeyName:
Default: 'PatheinDirectory'
Type: String
InstanceType:
Default: 't2.micro'
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
DBInstanceIdentifier:
Type: String
Default: 'coredbidentifier'
DBName:
Type: String
Default: 'coredb'
DBUsername:
Type: String
Default: 'coredbadmin'
DBClass:
Type: String
Default: 'db.t2.micro'
DBAllocatedStorage:
Type: String
Default: '5'
DBPassword:
Type: String
Mappings:
Region2Principal:
us-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-south-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-east-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ca-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
sa-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
cn-north-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
cn-northwest-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
eu-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-north-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
DBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Database security group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '3306'
ToPort: '3306'
SourceSecurityGroupId: !Ref WebServerSecurityGroup
WebDatabase:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: !Ref DBInstanceIdentifier
DBName: !Ref DBName
DBInstanceClass: !Ref DBClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
VPCSecurityGroups:
- !Ref DBSecurityGroup
This is the error I got in the log.这是我在日志中得到的错误。
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/a710bab0-e1f5-11ea-8647-02dbc193ed28",
"EventId": "b47b0660-e1f5-11ea-bedf-0ac92d082ee0",
"StackName": "patheindirectory",
"LogicalResourceId": "patheindirectory",
"PhysicalResourceId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/a710bab0-e1f5-11ea-8647-02dbc193ed28",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2020-08-19T08:26:39.929000+00:00",
"ResourceStatus": "ROLLBACK_IN_PROGRESS",
"ResourceStatusReason": "The following resource(s) failed to create: [DBSecurityGroup]. . Rollback requested by user."
},
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/a710bab0-e1f5-11ea-8647-02dbc193ed28",
"EventId": "DBSecurityGroup-CREATE_FAILED-2020-08-19T08:26:39.217Z",
"StackName": "patheindirectory",
"LogicalResourceId": "DBSecurityGroup",
"PhysicalResourceId": "patheindirectory-DBSecurityGroup-AYJS8S8FDNCE",
"ResourceType": "AWS::EC2::SecurityGroup",
"Timestamp": "2020-08-19T08:26:39.217000+00:00",
"ResourceStatus": "CREATE_FAILED",
"ResourceStatusReason": "Invalid id: \"patheindirectory-WebServerSecurityGroup-9KMFVDEWRVSF\" (expecting \"sg-...\") (Service: AmazonEC2; Status Code: 400; Error Code: InvalidGroupId.Malformed; Request ID: dec3b1d3-1259-
44cc-bdb9-84f4bf764df6)",
"ResourceProperties": "{\"GroupDescription\":\"Database security group\",\"SecurityGroupIngress\":[{\"FromPort\":\"3306\",\"ToPort\":\"3306\",\"IpProtocol\":\"tcp\",\"SourceSecurityGroupId\":\"patheindirectory-WebServerS
ecurityGroup-9KMFVDEWRVSF\"}]}"
},
What is wrong with my template and how can I fix it?我的模板有什么问题,我该如何解决?
1 个解决方案
解决方案1
1 已采纳 2020-08-19 08:40:59
Your SourceSecurityGroupId should be ID of the security group :您的SourceSecurityGroupId应该是安全组的 ID :
SourceSecurityGroupId: !GetAtt WebServerSecurityGroup.GroupId
Thus, DBSecurityGroup should be:因此, DBSecurityGroup应该是:
DBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Database security group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '3306'
ToPort: '3306'
SourceSecurityGroupId: !GetAtt WebServerSecurityGroup.GroupId
The same goes for VPCSecurityGroups in WebDatabase : WebDatabase中的WebDatabase :
WebDatabase:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: !Ref DBInstanceIdentifier
DBName: !Ref DBName
DBInstanceClass: !Ref DBClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
VPCSecurityGroups:
- !GetAtt DBSecurityGroup.GroupId
ps附言
Region2Principal is not used at all.根本不使用Region2Principal 。 Also, password would be better as NoEcho type parameter:此外,密码作为NoEcho类型参数会更好:
DBPassword:
Type: String
NoEcho: True
Corrected template in full (Region2Principal remains, but its not used here)完整更正模板(Region2Principal 保留,但此处未使用)
AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
KeyName:
Default: 'PatheinDirectory'
Type: String
InstanceType:
Default: 't2.micro'
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
DBInstanceIdentifier:
Type: String
Default: 'coredbidentifier'
DBName:
Type: String
Default: 'coredb'
DBUsername:
Type: String
Default: 'coredbadmin'
DBClass:
Type: String
Default: 'db.t2.micro'
DBAllocatedStorage:
Type: Number
Default: 5
DBPassword:
Type: String
NoEcho: True
Mappings:
Region2Principal:
us-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-south-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-east-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ca-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
sa-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
cn-north-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
cn-northwest-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
eu-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-north-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
DBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Database security group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '3306'
ToPort: '3306'
SourceSecurityGroupId: !GetAtt WebServerSecurityGroup.GroupId
WebDatabase:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: !Ref DBInstanceIdentifier
DBName: !Ref DBName
DBInstanceClass: !Ref DBClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
VPCSecurityGroups:
- !GetAtt DBSecurityGroup.GroupId
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
AWS Cloudformation 为安全组配置 ICMP 协议 - AWS Cloudformation configure ICMP protocol for the security group
AWS RDS 无法连接安全组 - AWS RDS can't connect security group
AWS Cloudformation - 安全组 ID 列表导出和导入 - SecurityGroupIds 无效 - AWS Cloudformation - security group ids list export and import - SecurityGroupIds not valid
AWS Cloudformation - 向安全组出口规则添加条件 - AWS Cloudformation - Add condition to security group egress rule
安全组的 AWS Cloudformation 跨堆栈引用 - 错误 - AWS Cloudformation Cross stack ref for Security group - error
在 AWS 安全组中创建多个规则 - Create multiple rules in AWS security Group
AWS 云中的安全组 - Security Group in AWS Cloud
AWS 安全组:端口范围? - AWS security group: Port range?
CloudFormation 无法找到 RDS Su.net 组,因为小写字母 - CloudFormation fails to find RDS Subnet Group because of lowercase
AWS CLI - 创建脚本以将我的 IP 添加到安全组 - AWS CLI - Create script to add my IP to security group
相关标签