How do I connect my AWS::EC2::DBSecurityGroup to my AWS::RDS::DBSecurityGroup in a VPC context?

2
votes

I have this AWS::EC2::SecurityGroup:

    "InstanceSecurityGroup" : {
        "Type" : "AWS::EC2::SecurityGroup",
        "Properties" : {
            "GroupDescription" : "Enable HTTP access on the configured port",
            "VpcId" : { "Ref" : "VpcId" },
            "SecurityGroupIngress" : [ {
                "IpProtocol" : "tcp",
                "FromPort" : { "Ref" : "WebServerPort" },
                "ToPort" : { "Ref" : "WebServerPort" },
                "SourceSecurityGroupId" : { "Ref" : "LoadBalancerSecurityGroup" }
            } ]
        }
    }

and I have this AWS::RDS::DBSecurityGroup

    "DBSecurityGroup": {
        "Type": "AWS::RDS::DBSecurityGroup",
        "Properties": {
            "DBSecurityGroupIngress": { "EC2SecurityGroupName": { "Ref": "InstanceSecurityGroup"} },
            "GroupDescription"      : "Frontend Access"
        }
    }

when I try to bring up this stack, I get:

Invalid security group , groupId=, groupName= sg-a381fdc6.

Edit 1: Reading a bit more suggests I need AWS::RDS::DBSecurityGroup to be associated with my VPC, so I change to this:

    "DBSecurityGroup": {
        "Type": "AWS::RDS::DBSecurityGroup",
        "Properties": {
            "EC2VpcId" : { "Ref" : "VpcId" },
            "DBSecurityGroupIngress": { "EC2SecurityGroupName": { "Ref": "InstanceSecurityGroup"} },
            "GroupDescription"      : "Frontend Access"
        }
    }

and when I bring up the stack I get

Please see the documentation for authorizing DBSecurityGroup ingress. For VPC, EC2SecurityGroupId is required. To authorize only the source address of this request (and no other address), pass 205.251.233.35/32 as the CIDRIP parameter.

EC2SecurityGroupId is the ID of the security group, not the name of it, and that ID is assigned outside my control, so I don't know what value to put in here.

How do I connect my AWS::EC2::DBSecurityGroup to my AWS::RDS::DBSecurityGroup in a VPC context?

2
amazon-web-servicesamazon-ec2amazon-cloudformationamazon-vpc

2 Answers

8
votes

The problem is that your { "Ref": "InstanceSecurityGroup"} doesn't hold the id only the name. To get a hold on the EC2SecurityGroupId use Fn::GetAtt.

Your template for the DBSecurityGroup should look something like this (notice how Ref have been replaced by Fn::GetAtt:

"DBSecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
   "EC2VpcId"              : { "Ref" : "VpcId" },
   "DBSecurityGroupIngress": { "EC2SecurityGroupId": { "Fn::GetAtt" : [ "InstanceSecurityGroup", "GroupId" ] } },
   "GroupDescription"      : "Frontend Access"
}
0
votes

When you RDS Security group is defined inside a VPC, you must refer to other security group by group-id, not by group name.

See http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-security-group.html http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-security-group-rule.html

"For VPC DB Security Groups, use EC2SecurityGroupId. For EC2 Security Groups, use EC2SecurityGroupOwnerId and either EC2SecurityGroupName or EC2SecurityGroupId."

You can get the Security group ID by using the "Ref" function as described here http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html

So, your modified Security Group should be

"DBSecurityGroup": { "Type": "AWS::RDS::DBSecurityGroup", "Properties": { "EC2VpcId" : { "Ref" : "VpcId" }, "DBSecurityGroupIngress": { "EC2SecurityGroupId": { "Ref": "InstanceSecurityGroup"} }, "GroupDescription" : "Frontend Access" } }