How Do I Specify a Security Group for Elastic Beanstalk Launch Configuration in CloudFormation Template?

3
votes

I have the following security group defined in my CloudFormation template:

"APIInstanceSG": {
  "Type": "AWS::EC2::SecurityGroup",
  "Properties": {
    "GroupDescription": "Security Group for Application EC2 Instances,
    "VpcId": "vpc-10a75377",
    "Tags": [{
      "Key": "Name",
      "Value": "APIInstanceSG" }
    }]
  }
}

I also have an Elastic Beanstalk environment defined containing the following inside OptionSettings:

{
  "Namespace": "aws:autoscaling:launchconfiguration",
  "OptionName": "SecurityGroups",
  "Value": { "Ref": "APIInstanceSG" }
}

When I create a stack using this template, the security group is created before CloudFormation attempts to create the EB environment but when it tries to create the EB environment, it failes with the following error:

Configuration validation exception: Invalid option value: 'sg-994fcbe4' (Namespace: 'aws:autoscaling:launchconfiguration', OptionName: 'SecurityGroups'): The security group 'sg-994fcbe4' does not exist

sg-994fcbe4 is the ID of the security group that was created enter image description here

The Elastic Beanstalk Environment config is as follows:

"AspectAPIEnv": {
  "Type": "AWS::ElasticBeanstalk::Environment",
  "Properties": {
    "ApplicationName": "application-name",
    "EnvironmentName": "environment-name",
    "SolutionStackName": "64bit Amazon Linux 2016.09 v3.1.0 running Node.js",
    "Tier": {
      "Name": "WebServer",
      "Type": "Standard"
    },
    "OptionSettings": [
      {
        "Namespace": "aws:autoscaling:launchconfiguration",
        "OptionName": "EC2KeyName",
        "Value": "ec2-key"
      },
      {
        "Namespace": "aws:autoscaling:launchconfiguration",
        "OptionName": "IamInstanceProfile",
        "Value": "aws-elasticbeanstalk-ec2-role"
      },
      {
        "Namespace": "aws:autoscaling:launchconfiguration",
        "OptionName": "ImageId",
        "Value": "ami-d8356acf"
      },
      {
        "Namespace": "aws:autoscaling:launchconfiguration",
        "OptionName": "InstanceType",
        "Value": "t2.micro"
      },
      {
        "Namespace": "aws:autoscaling:launchconfiguration",
        "OptionName": "SecurityGroups",
        "Value": { "Ref": "APIInstanceSG" }
      },
      {
        "Namespace": "aws:autoscaling:trigger",
        "OptionName": "UpperThreshold",
        "Value": "6000000"
      },
      {
        "Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
        "OptionName": "MaxBatchSize",
        "Value": "1"
      },
      {
        "Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
        "OptionName": "MinInstancesInService",
        "Value": "1"
      },
      {
        "Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
        "OptionName": "RollingUpdateEnabled",
        "Value": "true"
      },
      {
        "Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
        "OptionName": "RollingUpdateType",
        "Value": "Health"
      },
      {
        "Namespace": "aws:elasticbeanstalk:command",
        "OptionName": "BatchSize",
        "Value": "30"
      },
      {
        "Namespace": "aws:elasticbeanstalk:container:nodejs",
        "OptionName": "NodeVersion",
        "Value": "6.2.2"
      },
      {
        "Namespace": "aws:elasticbeanstalk:environment",
        "OptionName": "ServiceRole",
        "Value": "aws-elasticbeanstalk-service-role"
      },
      {
        "Namespace": "aws:elasticbeanstalk:healthreporting:system",
        "OptionName": "SystemType",
        "Value": "enhanced"
      },
      {
        "Namespace": "aws:elasticbeanstalk:managedactions",
        "OptionName": "ManagedActionsEnabled",
        "Value": "true"
      },
      {
        "Namespace": "aws:elasticbeanstalk:managedactions",
        "OptionName": "PreferredStartTime",
        "Value": "SUN:09:02"
      },
      {
        "Namespace": "aws:elasticbeanstalk:managedactions:platformupdate",
        "OptionName": "UpdateLevel",
        "Value": "minor"
      },
      {
        "Namespace": "aws:elb:healthcheck",
        "OptionName": "Interval",
        "Value": "10"
      },
      {
        "Namespace": "aws:elb:loadbalancer",
        "OptionName": "CrossZone",
        "Value": "true"
      },
      {
        "Namespace": "aws:elb:loadbalancer",
        "OptionName": "LoadBalancerHTTPPort",
        "Value": "80"
      },
      {
        "Namespace": "aws:elb:loadbalancer",
        "OptionName": "SecurityGroups",
        "Value": { "Ref": "APILoadBalancerSG" }
      },
      {
        "Namespace": "aws:elb:loadbalancer",
        "OptionName": "ManagedSecurityGroup",
        "Value": { "Ref": "APILoadBalancerSG" }
      },
      {
        "Namespace": "aws:elb:policies",
        "OptionName": "ConnectionDrainingEnabled",
        "Value": "true"
      }
    ],
    "Tags": [
      {
        "Key": "Name",
        "Value": "AspectAPIEnv"
      }
    ]
  },
  "DependsOn": "RDSInstance"
}
4
amazon-web-servicesamazon-elastic-beanstalkamazon-cloudformationaws-security-group
you're positive the launch configuration is in the same VPC as the security group?Marc Young
Yes, all instances are inside the VPCbean
Is it possible for you to show us the template snippet for your Beanstalk environment resource?rbarni
Sure, just added it nowbean
Thanks, I've added an answer. @MarcYoung was on the right track, your environment resource is missing the VPC option settings.rbarni

4 Answers

13
votes

After looking at your AWS::ElasticBeanstalk::Environment resource, I was able to reproduce the error you are experiencing. As Marc Young suggested in a comment to your question, you are not specifying a VPC for your environment. Because your security group is in a VPC, it's not accessible from resources that are not also in the same VPC.

To fix it, you must add the following configuration option to your environment:

{
  "Namespace" : "aws:ec2:vpc",
  "OptionName" : "VPCId",
  "Value" : "vpc-10a75377"
},

If you specify a VPC, creating a stack with the updated template will fail with an error message saying that you also need to specify the environment subnets, so you will have to add the following options:

{
  "Namespace" : "aws:ec2:vpc",
  "OptionName" : "Subnets",
  "Value" : <insert the subnet for your instances here>
},
{
  "Namespace" : "aws:ec2:vpc",
  "OptionName" : "ELBSubnets",
  "Value" : <insert the subnet for your load balancer here>
}

You can check a working example of a Beanstalk application in a VPC in the Elastic Beanstalk CloudFormation sample templates.

0
votes

To overcome this:

You need to change the EB Security Group from AWS CLI, you cannot do it from AWS Web Console.

Considering you have already AWS CLI installed, you will need to do this command if you want to change the Security Group:

aws elasticbeanstalk update-environment –environment-name –option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=SecurityGroups,Value=””

Source

0
votes

You should be setting the DependsOn attribute in your LC definition to ensure it exists before the SG during stack creation. Otherwise you can't guarantee the reference will work.

"APIInstanceSG": {
  "Type": "AWS::EC2::SecurityGroup",
  "Properties": {
    "GroupDescription": "Security Group for Application EC2 Instances,
    "VpcId": "vpc-10a75377",
    "Tags": [{
      "Key": "Name",
      "Value": "APIInstanceSG" }
    }]
  },
  "DependsOn" : "APIInstanceSG"
}

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html

0
votes

In your template, instead of 

"DependsOn" : "RDSInstance"

write:

"DependsOn": ["APIInstanceSG", "RDSInstance"]

More info: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html