Endpoint.Port does not exist for Security Group of RDS Proxy


Hi there,

we are having issues with deploying our stack. It worked until Friday, Feb 09, and then out of a sudden it stopped working with the below error saying that the security group cannot access an attribute.

AWS::EC2::SecurityGroupIngress | .../.../SecurityGroup/from DatabaseSecurityGroupXXX:{IndirectPort} (DatabaseSecurityGroupfromDatabaseSecurityGroupYYYYIndirectPortZZZ) Attribute 'Endpoint.Port' does not exist

The application we want to deploy consists of

  • an RDS instance
  • a proxy for the RDS instance
  • a Fargate Service/EC2 cluster with an application accessing that RDS instances
  • a memory cache for our application
  • a load balancer in front of the Fargate service
  • a VPC with a private subnetwork (contains RDS instance, proxy, and memory cache) , private with egress (contains the Fargate service), and a public network (contains the LB)
  • a security group to which both proxy and RDS instance belong

We assumed there would be some kind of race condition causing one service being created too late, so we tried out to specifically set the deploy order

  • RDS instance --> proxy --> Fargate service and
  • RDS instance --> IngressRule --> TargetGroup --> Proxy --> Fargate service
  • we also tried to give the proxy its own security group

We are using AWS CDK for deployment, so the CFN template is generated. This is how the snippet with the security group currently looks like:

    Type: AWS::EC2::SecurityGroupIngress
      Description: Allow connections to the database Instance from the Proxy
          - DatabaseInstanceAAAA
          - Endpoint.Port
          - DatabaseSecurityGroupYYYY
          - GroupId
      IpProtocol: tcp
          - DatabaseSecurityGroupYYYY
          - GroupId
          - DatabaseInstanceAAAA
          - Endpoint.Port
      aws:cdk:path: path/to/Database/SecurityGroup/from DatabaseSecurityGroupYYYY:{IndirectPort}

Nothing helped. Now we are out of ideas... Is there someone who once observed a similar behavior or has a clue what we miss here? Or did AWS deploy some kind of update?



1개 답변

Hi Cindy,

Given the error message, it seems to be just a syntax error in your CFN template. Can you update your question with just the fragment where you refer to Endpoint.Port ?

You may either have to use CFN GettAtt intrinsic function or $notation depending on your exact context




profile pictureAWS
답변함 9일 전
  • Hi Didier,

    we are using AWS CDK for deployment, so the CFN template is generated. Nevertheless, I updated the question with the corresponding snippet. Best, Cindy

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠