By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Endpoint.Port does not exist for Security Group of RDS Proxy

0

Hi there,

we are having issues with deploying our stack. It worked until Friday, Feb 09, and then out of a sudden it stopped working with the below error saying that the security group cannot access an attribute.

AWS::EC2::SecurityGroupIngress | .../.../SecurityGroup/from DatabaseSecurityGroupXXX:{IndirectPort} (DatabaseSecurityGroupfromDatabaseSecurityGroupYYYYIndirectPortZZZ) Attribute 'Endpoint.Port' does not exist

The application we want to deploy consists of

  • an RDS instance
  • a proxy for the RDS instance
  • a Fargate Service/EC2 cluster with an application accessing that RDS instances
  • a memory cache for our application
  • a load balancer in front of the Fargate service
  • a VPC with a private subnetwork (contains RDS instance, proxy, and memory cache) , private with egress (contains the Fargate service), and a public network (contains the LB)
  • a security group to which both proxy and RDS instance belong

We assumed there would be some kind of race condition causing one service being created too late, so we tried out to specifically set the deploy order

  • RDS instance --> proxy --> Fargate service and
  • RDS instance --> IngressRule --> TargetGroup --> Proxy --> Fargate service
  • we also tried to give the proxy its own security group

We are using AWS CDK for deployment, so the CFN template is generated. This is how the snippet with the security group currently looks like:

DatabaseSecurityGroupYYYYIndirectPortZZZ:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      Description: Allow connections to the database Instance from the Proxy
      FromPort:
        Fn::GetAtt:
          - DatabaseInstanceAAAA
          - Endpoint.Port
      GroupId:
        Fn::GetAtt:
          - DatabaseSecurityGroupYYYY
          - GroupId
      IpProtocol: tcp
      SourceSecurityGroupId:
        Fn::GetAtt:
          - DatabaseSecurityGroupYYYY
          - GroupId
      ToPort:
        Fn::GetAtt:
          - DatabaseInstanceAAAA
          - Endpoint.Port
    Metadata:
      aws:cdk:path: path/to/Database/SecurityGroup/from DatabaseSecurityGroupYYYY:{IndirectPort}

Nothing helped. Now we are out of ideas... Is there someone who once observed a similar behavior or has a clue what we miss here? Or did AWS deploy some kind of update?

Best,

Cindy

Topics
Migration & ModernizationAnalyticsDatabaseComputeNetworking & Content Delivery
Tags
Amazon Relational Database ServiceAmazon EC2Security GroupAmazon RDS Proxy
Language
English
Red
asked 3 months ago164 views
1 Answer
0

Hi Cindy,

Given the error message, it seems to be just a syntax error in your CFN template. Can you update your question with just the fragment where you refer to Endpoint.Port ?

You may either have to use CFN GettAtt intrinsic function or $notation depending on your exact context

See

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 3 months ago
  • Red
    3 months ago

    Hi Didier,

    we are using AWS CDK for deployment, so the CFN template is generated. Nevertheless, I updated the question with the corresponding snippet. Best, Cindy

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content