Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS RDS Proxy stuck with PENDING_PROXY_CAPACITY

0

I created an AWS RDS proxy with terraform:

resource "aws_iam_role" "my_role" {
  name        = "proxy"
  path        = "/service-role/"

  assume_role_policy = <<-EOT
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "rds.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
  EOT
}

resource "aws_iam_policy" "my_policy" {
  name        = "proxy-policy"

  policy = <<-EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "${aws_secretsmanager_secret.my_secret.arn}"
        }
      ]
    }
  EOF
}

resource "aws_iam_role_policy_attachment" "my_policy" {
  role       = aws_iam_role.my_role.name
  policy_arn = aws_iam_policy.my_policy.arn
}

resource "aws_db_proxy" "my_proxy" {
  name                   = "my-proxy"
  debug_logging          = true
  engine_family          = "MYSQL"
  idle_client_timeout    = 900
  require_tls            = true
  role_arn               = aws_iam_role.my_role.arn
  vpc_security_group_ids = ["sg-123"]
  vpc_subnet_ids         = ["subnet-123"]

  auth {
    auth_scheme = "SECRETS"
    iam_auth    = "DISABLED"
    secret_arn  = aws_secretsmanager_secret.my_secret.arn
  }
}

resource "aws_db_proxy_default_target_group" "my_proxy" {
  db_proxy_name = aws_db_proxy.my_proxy.name
}

resource "aws_db_proxy_target" "my_proxy" {
  db_cluster_identifier = "my-cluster"
  db_proxy_name         = aws_db_proxy.my_proxy.name
  target_group_name     = aws_db_proxy_default_target_group.my_proxy.name
}

I can't connect to the generated endpoint though. When checking with aws rds describe-db-proxy-targets --db-proxy-name my-proxy --region us-west-2, i get this:

{
    "Targets": [
        {
            "RdsResourceId": "my-cluster",
            "Port": 3306,
            "Type": "TRACKED_CLUSTER"
        },
        {
            "Endpoint": "yyy.us-west-2.rds.amazonaws.com",
            "TrackedClusterId": "my-cluster",
            "RdsResourceId": "my-cluster-123",
            "Port": 3306,
            "Type": "RDS_INSTANCE",
            "Role": "UNKNOWN",
            "TargetHealth": {
                "State": "UNAVAILABLE",
                "Reason": "PENDING_PROXY_CAPACITY",
                "Description": "DBProxy Target is waiting for proxy to scale to desired capacity"
            }
        }
    ]
}

When checking the Cloudwatch logs for /aws/rds/proxy/core-db, there is nothing. Is there anything else I can do to debug this? Any directions?

Topics
Database
Tags
Amazon RDS Proxy
Language
English
asked 2 years ago1.2K views
3 Answers
1
Accepted Answer

Was able to figure it out, I forgot to allow the RDS Proxy security group to access the RDS cluster security group.

answered a year ago
EXPERT
reviewed a year ago
1

Hi,

I have set up having such problems due to mismatch in TLS versions between RDS cluster and RDS proxy: can you check that you defined them the same in your config?

For TLS in Proxy , see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy.howitworks.html

For TLS in cluster, see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html

Best,

DIdier

EXPERT
answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
0

Is "having the same scurity group" for both the Aurora DB and the proxy supposed to work? (spoiler alert, it's not working.)

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content