Hi there,
we are having issues with deploying our stack. It worked until Friday, Feb 09, and then out of a sudden it stopped working with the below error saying that the security group cannot access an attribute.
AWS::EC2::SecurityGroupIngress | .../.../SecurityGroup/from DatabaseSecurityGroupXXX:{IndirectPort} (DatabaseSecurityGroupfromDatabaseSecurityGroupYYYYIndirectPortZZZ) Attribute 'Endpoint.Port' does not exist
The application we want to deploy consists of
- an RDS instance
- a proxy for the RDS instance
- a Fargate Service/EC2 cluster with an application accessing that RDS instances
- a memory cache for our application
- a load balancer in front of the Fargate service
- a VPC with a private subnetwork (contains RDS instance, proxy, and memory cache) , private with egress (contains the Fargate service), and a public network (contains the LB)
- a security group to which both proxy and RDS instance belong
We assumed there would be some kind of race condition causing one service being created too late, so we tried out to specifically set the deploy order
- RDS instance --> proxy --> Fargate service
and
- RDS instance --> IngressRule --> TargetGroup --> Proxy --> Fargate service
- we also tried to give the proxy its own security group
We are using AWS CDK for deployment, so the CFN template is generated. This is how the snippet with the security group currently looks like:
DatabaseSecurityGroupYYYYIndirectPortZZZ:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: Allow connections to the database Instance from the Proxy
FromPort:
Fn::GetAtt:
- DatabaseInstanceAAAA
- Endpoint.Port
GroupId:
Fn::GetAtt:
- DatabaseSecurityGroupYYYY
- GroupId
IpProtocol: tcp
SourceSecurityGroupId:
Fn::GetAtt:
- DatabaseSecurityGroupYYYY
- GroupId
ToPort:
Fn::GetAtt:
- DatabaseInstanceAAAA
- Endpoint.Port
Metadata:
aws:cdk:path: path/to/Database/SecurityGroup/from DatabaseSecurityGroupYYYY:{IndirectPort}
Nothing helped. Now we are out of ideas... Is there someone who once observed a similar behavior or has a clue what we miss here? Or did AWS deploy some kind of update?
Best,
Cindy
Hi Didier,
we are using AWS CDK for deployment, so the CFN template is generated. Nevertheless, I updated the question with the corresponding snippet. Best, Cindy