amazon-web-services - AWS CloudFormation：无法创建 RDS 数据库，因为数据库安全组无法引用 Web 服务器的安全组

问题描述

我正在使用 AWS CloudFormation 构建我的基础设施。我正在使用一个安全组创建一个 RDS 数据库资源，该安全组引用另一个连接到 Web 服务器的安全组。但是当我部署模板时它失败了。

这是我的模板。

AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
  KeyName:
    Default: 'PatheinDirectory'
    Type: String
  InstanceType:
    Default: 't2.micro'
    Type: String
  SSHLocation:
    Description: The IP address range that can be used to SSH to the EC2 instances
    Type: String
    MinLength: '9'
    MaxLength: '18'
    Default: 0.0.0.0/0
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
    ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
  DBInstanceIdentifier:
    Type: String
    Default: 'coredbidentifier'
  DBName:
    Type: String
    Default: 'coredb'
  DBUsername:
    Type: String
    Default: 'coredbadmin'
  DBClass:
    Type: String
    Default: 'db.t2.micro'
  DBAllocatedStorage:
    Type: String
    Default: '5'
  DBPassword:
    Type: String

Mappings:
  Region2Principal:
    us-east-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-west-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-west-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-3:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-southeast-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-3:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-southeast-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-south-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-east-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ca-central-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    sa-east-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    cn-north-1:
      EC2Principal: ec2.amazonaws.com.cn
      OpsWorksPrincipal: opsworks.amazonaws.com.cn
    cn-northwest-1:
      EC2Principal: ec2.amazonaws.com.cn
      OpsWorksPrincipal: opsworks.amazonaws.com.cn
    eu-central-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-north-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com

Resources:
  WebServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for EC2 instances
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp:
            Ref: SSHLocation

  DBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Database security group
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '3306'
          ToPort: '3306'
          SourceSecurityGroupId: !Ref WebServerSecurityGroup

  WebDatabase:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: !Ref DBInstanceIdentifier
      DBName: !Ref DBName
      DBInstanceClass: !Ref DBClass
      AllocatedStorage: !Ref DBAllocatedStorage
      Engine: MySQL
      MasterUsername: !Ref DBUsername
      MasterUserPassword: !Ref DBPassword
      VPCSecurityGroups:
        - !Ref DBSecurityGroup

这是我在日志中得到的错误。

{
            "StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/a710bab0-e1f5-11ea-8647-02dbc193ed28",
            "EventId": "b47b0660-e1f5-11ea-bedf-0ac92d082ee0",
            "StackName": "patheindirectory",
            "LogicalResourceId": "patheindirectory",
            "PhysicalResourceId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/a710bab0-e1f5-11ea-8647-02dbc193ed28",
            "ResourceType": "AWS::CloudFormation::Stack",
            "Timestamp": "2020-08-19T08:26:39.929000+00:00",
            "ResourceStatus": "ROLLBACK_IN_PROGRESS",
            "ResourceStatusReason": "The following resource(s) failed to create: [DBSecurityGroup]. . Rollback requested by user."
        },
        {
            "StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/a710bab0-e1f5-11ea-8647-02dbc193ed28",
            "EventId": "DBSecurityGroup-CREATE_FAILED-2020-08-19T08:26:39.217Z",
            "StackName": "patheindirectory",
            "LogicalResourceId": "DBSecurityGroup",
            "PhysicalResourceId": "patheindirectory-DBSecurityGroup-AYJS8S8FDNCE",
            "ResourceType": "AWS::EC2::SecurityGroup",
            "Timestamp": "2020-08-19T08:26:39.217000+00:00",
            "ResourceStatus": "CREATE_FAILED",
            "ResourceStatusReason": "Invalid id: \"patheindirectory-WebServerSecurityGroup-9KMFVDEWRVSF\" (expecting \"sg-...\") (Service: AmazonEC2; Status Code: 400; Error Code: InvalidGroupId.Malformed; Request ID: dec3b1d3-1259-
44cc-bdb9-84f4bf764df6)",
            "ResourceProperties": "{\"GroupDescription\":\"Database security group\",\"SecurityGroupIngress\":[{\"FromPort\":\"3306\",\"ToPort\":\"3306\",\"IpProtocol\":\"tcp\",\"SourceSecurityGroupId\":\"patheindirectory-WebServerS
ecurityGroup-9KMFVDEWRVSF\"}]}"
        },

我的模板有什么问题，我该如何解决？

标签： amazon-web-servicesamazon-cloudformationamazon-rds