By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cloudformation AWSEBSecurityGroup VPCIdNotSpecified - even though VpcId is specified?

1

I am trying to create a cloudformation stack with a template that another team has created. It creates an rds, elastic beanstalk, lambdas, and an api gateway. Their template works for them, but they were creating a vpc + subnets + security groups in the template. I already have a vpc created, as well as 2 subnets that I need to use.

This is the template code:

MCTEBApp:
    Type: AWS::ElasticBeanstalk::Application
    Properties: 
      Description: ""
  MCTEBVersion:
    Type: AWS::ElasticBeanstalk::ApplicationVersion
    Properties:
      ApplicationName: !Ref MCTEBApp
      Description: ""
      SourceBundle:
        S3Bucket: !ImportValue 
          'Fn::Sub': "${CICDStackName}-CodeBucket"
        S3Key: "web/docker-compose.yml"
  MCTEBEnv:
    Type: AWS::ElasticBeanstalk::Environment
    Properties: 
      ApplicationName: !Ref MCTEBApp
      Description: ""
      SolutionStackName: ""
      OptionSettings:
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: InstanceType
          Value: t1.micro
        - Namespace: aws:elasticbeanstalk:environment
          OptionName: EnvironmentType
          Value: SingleInstance
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: IamInstanceProfile
          Value: aws-elasticbeanstalk-ec2-role
        - Namespace: aws:elasticbeanstalk:environment
          OptionName: ServiceRole
          Value: aws-elasticbeanstalk-service-role
      Tier: 
        Name: WebServer
        Type: Standard
      VersionLabel: !Ref MCTEBVersion
  MCTEBConfig:
    Type: AWS::ElasticBeanstalk::ConfigurationTemplate
    Properties: 
      ApplicationName: !Ref MCTEBApp
      Description: ""
      SolutionStackName: ""
      OptionSettings:
        - Namespace: aws:ec2:vpc
          OptionName: VPCId
          Value: vpc-###
        - Namespace: aws:ec2:vpc
          OptionName: Subnets
          Value: subnet-###
        - Namespace: aws:ec2:vpc
          OptionName: ELBSubnets
          Value: subnet-###
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: SecurityGroups
          Value: !Ref MCTEBSecurityGroup
  MCTEBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: RDS allows ingress from EC2 instances in this group.
      VpcId: vpc-###

The elastic beanstalk instance is failing to be created. The logical Id is AWSEBSecurityGroup and the Status Reason is: No default VPC for this user (Service: AmazonEC2; Status Code: 400; Error Code: VPCIdNotSpecified; Request ID: ###; Proxy: null)

I am not sure what I need to change to make this work. There is no option of re-creating a default VPC due to security restrictions.

Topics
ComputeManagement & Governance
Tags
AWS Elastic BeanstalkAWS CloudFormation
Language
English
AWS-User-7464390
asked 2 years ago1121 views
2 Answers
0

AWSEBSecurityGroup is a dynamic resource that beanstalk creates for you. It's also the security group attached to the Auto Scaling group.

To start debugging this within the CloudFormation console look for the stack that is dynamically created it will start with awseb-e then switch to the template tab copy and paste the contents into a an editor. Convert it into yaml which will make it easier to read and then search for the resource AWSEBSecurityGroup and see what properties values are being used and if they are what you expect.

RoB
answered 2 years ago
  • AWS-User-7464390
    2 years ago

    Thanks, this is what it looks like:

    Resources:
  AWSEBSecurityGroup:
    Properties:
      GroupDescription: SecurityGroup for ElasticBeanstalk environment.
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          FromPort:
            Ref: InstancePort
          ToPort:
            Ref: InstancePort
          IpProtocol: tcp
    Type: 'AWS::EC2::SecurityGroup'

    It's not using the vpcid I gave in the template. There must be something I need to change in the template, I just don't know what.

  • RoB
    2 years ago

    In the root stack is the SG created before the resource MCTEBConfig. I would expect it to be because of the implicit !Ref. If you look within the resources tab do you see an SG created for MCTEBSecurityGroup and does it belong to the relevant vpc?

  • RoB
    2 years ago

    Following on from jsonc response. Within MCTEBConfig try replacing

    - Namespace: aws:autoscaling:launchconfiguration
  OptionName: SecurityGroups
  Value: !Ref MCTEBSecurityGroup

    with

    - Namespace: aws:autoscaling:launchconfiguration
  OptionName: SecurityGroups
  Value: !GetAtt MCTEBSecurityGroup.GroupId

    I say this because of the following taken from the docs if you use Amazon Virtual Private Cloud (Amazon VPC) with Elastic Beanstalk so that your instances are launched within a virtual private cloud (VPC), specify security group IDs instead of security group names.

  • AWS-User-7464390
    2 years ago

    I added DependsOn and !GetAtt. The resource yaml looks like this:

            - Namespace: aws:autoscaling:launchconfiguration
          OptionName: SecurityGroups
          Value: !GetAtt MCTEBSecurityGroup.GroupId
    DependsOn: MCTEBSecurityGroup

    I also tried creating a SG through the console, then used that id in the template.

    Unfortunately I see no change - Elastic Beanstalk still tries to create a SG with a default VPC. Looking at the resources I do see a SG for MCTEBSecurityGroup in the correct VPC. I've tried googling the issue, but didn't find anything that helped.

  • RoB
    2 years ago

    Would you be able to delete the stack then relaunch it to see if you see the same behavior?

0

I would try 2 things:

  1. In EB, the Security Group reference must refer to the ID and not the name. the !Ref will pull the name, try using !GetAtt Security.GroupId (if yaml) to retrieve the Security Group ID.

  2. You could also use the CloudFormation DependsOn Property to ensure the MCTEBSecurityGroup resource gets deployed first if there's an order issue.

Hope that helps!

Reference: EC2 Error Code explanations: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/errors-overview.html DependsOn: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html

jsonc
answered 2 years ago
  • AWS-User-7464390
    2 years ago

    I commented on RoB's suggestion, so this is mostly the same - I tried the above, and unfortunately neither 1 alone, 2 alone, or 1 and 2 together made a difference. The MCTEBSecurityGroup is getting created, but it looks like it's not being used in the Elastic Beanstalk creation.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content