无法为 RDS Aurora postgresql 部署“ProxyTargetGroup”
Failed to deploy `ProxyTargetGroup` for RDS Aurora postgresql
我已经部署了一个 Aurora 集群和一个数据库实例 (postgresql 11.8) 以及一个作为 AWS 的代理。当我尝试像下面的代码一样添加代理目标组时,部署需要 1 小时并在 2 小时后超时。我附上了截图。如果我通过 AWS 控制台手动添加目标组,效果很好。我想知道我的配置有什么问题吗?
ProxyTargetGroup:
Type: AWS::RDS::DBProxyTargetGroup
Properties:
DBProxyName: !Ref DBProxy
DBClusterIdentifiers: [!Ref AuroraDBCluster]
TargetGroupName: default
ConnectionPoolConfigurationInfo:
MaxConnectionsPercent: 100
MaxIdleConnectionsPercent: 50
ConnectionBorrowTimeout: 120
DBProxy:
Type: AWS::RDS::DBProxy
Properties:
Auth:
- {AuthScheme: SECRETS, SecretArn: !Ref DBSecret, IAMAuth: REQUIRED}
DBProxyName: ${self:provider.stackName}-dbproxy
DebugLogging: true
EngineFamily: POSTGRESQL
IdleClientTimeout: 30
RequireTLS: true
RoleArn: !GetAtt DBProxyRole.Arn
VpcSecurityGroupIds:
- !Ref ClusterSecurityGroup
VpcSubnetIds:
- !Ref SubnetAPublic
- !Ref SubnetAPrivate
- !Ref SubnetBPrivate
- !Ref SubnetCPrivate
DBProxyRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:provider.stackName}-dbproxyRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- rds.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: ${self:provider.stackName}-dbproxyPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
- secretsmanager:GetResourcePolicy
- secretsmanager:DescribeSecret
- secretsmanager:ListSecretVersionIds
Resource:
- "arn:aws:secretsmanager:${opt:region}:${self:provider.accountId}:secret:${opt:stage}/${self:service.name}/AuroraUserSecret"
- Effect: Allow
Action:
- kms:*
Resource: 'arn:aws:kms:${opt:region}:${self:provider.accountId}:key/*'
ClusterSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow traffic to client host
VpcId:
Ref: VPC
SecurityGroupIngress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
当 cloudformation 显示 update in progress 时,我可以看到目标组已添加且可用。但是 cloudformation 一直显示 in progress 直到超时。
我尝试使用自己的 Aurora 集群重新创建问题。我不得不填写很多空白,因为问题中只提供了一些点点滴滴。
但是,我没有问题 使用固定角色 创建代理。我使用的完整模板如下:
Parameters:
AuroraDBCluster:
Type: String
Default: database-22
DBSecret:
Type: String
Default: arn:aws:secretsmanager:us-east-1:xxxxxxx:secret:postgres-wCBBqC
ClusterSecurityGroup:
Type: AWS::EC2::SecurityGroup::Id
Default: sg-0f52f72631fa40b56
SubnetAPublic:
Type: AWS::EC2::Subnet::Id
SubnetAPrivate:
Type: AWS::EC2::Subnet::Id
SubnetBPrivate:
Type: AWS::EC2::Subnet::Id
SubnetCPrivate:
Type: AWS::EC2::Subnet::Id
Resources:
ProxyTargetGroup:
Type: AWS::RDS::DBProxyTargetGroup
Properties:
DBProxyName: !Ref DBProxy
DBClusterIdentifiers: [!Ref AuroraDBCluster]
TargetGroupName: default
ConnectionPoolConfigurationInfo:
MaxConnectionsPercent: 100
MaxIdleConnectionsPercent: 50
ConnectionBorrowTimeout: 120
DBProxy:
Type: AWS::RDS::DBProxy
Properties:
Auth:
- {AuthScheme: SECRETS, SecretArn: !Ref DBSecret, IAMAuth: DISABLED}
DBProxyName: ggggg-dbproxy
DebugLogging: true
EngineFamily: POSTGRESQL
IdleClientTimeout: 30
RequireTLS: true
RoleArn: !GetAtt DBProxyRole.Arn
VpcSecurityGroupIds:
- !Ref ClusterSecurityGroup
VpcSubnetIds:
- !Ref SubnetAPublic
- !Ref SubnetAPrivate
- !Ref SubnetBPrivate
- !Ref SubnetCPrivate
DBProxyRole:
Type: AWS::IAM::Role
Properties:
RoleName: dbproxyRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- rds.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AccessSecretAndKMS
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "${DBSecret}"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.${AWS::Region}.amazonaws.com"
}
}
}
]
}
我试过你的代码,但还是会出现同样的“错误”
我必须将小改动“EngineFamily:POSTGRESQL”更改为“EngineFamily:Mysql”
我遇到了同样的问题,CF 堆栈在 UPDATE_IN_PROGRESS 中卡住了 2 小时。我的问题是我没有在关联的入口安全组规则上指定 CidrIp 属性。 Docs 说这不是必需的,但确实如此。规则从未创建,CF 也没有通知我。
创建入口规则为我解决了 DBProxyTargetGroup 问题。
我已经部署了一个 Aurora 集群和一个数据库实例 (postgresql 11.8) 以及一个作为 AWS 的代理。当我尝试像下面的代码一样添加代理目标组时,部署需要 1 小时并在 2 小时后超时。我附上了截图。如果我通过 AWS 控制台手动添加目标组,效果很好。我想知道我的配置有什么问题吗?
ProxyTargetGroup:
Type: AWS::RDS::DBProxyTargetGroup
Properties:
DBProxyName: !Ref DBProxy
DBClusterIdentifiers: [!Ref AuroraDBCluster]
TargetGroupName: default
ConnectionPoolConfigurationInfo:
MaxConnectionsPercent: 100
MaxIdleConnectionsPercent: 50
ConnectionBorrowTimeout: 120
DBProxy:
Type: AWS::RDS::DBProxy
Properties:
Auth:
- {AuthScheme: SECRETS, SecretArn: !Ref DBSecret, IAMAuth: REQUIRED}
DBProxyName: ${self:provider.stackName}-dbproxy
DebugLogging: true
EngineFamily: POSTGRESQL
IdleClientTimeout: 30
RequireTLS: true
RoleArn: !GetAtt DBProxyRole.Arn
VpcSecurityGroupIds:
- !Ref ClusterSecurityGroup
VpcSubnetIds:
- !Ref SubnetAPublic
- !Ref SubnetAPrivate
- !Ref SubnetBPrivate
- !Ref SubnetCPrivate
DBProxyRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:provider.stackName}-dbproxyRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- rds.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: ${self:provider.stackName}-dbproxyPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
- secretsmanager:GetResourcePolicy
- secretsmanager:DescribeSecret
- secretsmanager:ListSecretVersionIds
Resource:
- "arn:aws:secretsmanager:${opt:region}:${self:provider.accountId}:secret:${opt:stage}/${self:service.name}/AuroraUserSecret"
- Effect: Allow
Action:
- kms:*
Resource: 'arn:aws:kms:${opt:region}:${self:provider.accountId}:key/*'
ClusterSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow traffic to client host
VpcId:
Ref: VPC
SecurityGroupIngress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
当 cloudformation 显示 update in progress 时,我可以看到目标组已添加且可用。但是 cloudformation 一直显示 in progress 直到超时。
我尝试使用自己的 Aurora 集群重新创建问题。我不得不填写很多空白,因为问题中只提供了一些点点滴滴。
但是,我没有问题 使用固定角色 创建代理。我使用的完整模板如下:
Parameters:
AuroraDBCluster:
Type: String
Default: database-22
DBSecret:
Type: String
Default: arn:aws:secretsmanager:us-east-1:xxxxxxx:secret:postgres-wCBBqC
ClusterSecurityGroup:
Type: AWS::EC2::SecurityGroup::Id
Default: sg-0f52f72631fa40b56
SubnetAPublic:
Type: AWS::EC2::Subnet::Id
SubnetAPrivate:
Type: AWS::EC2::Subnet::Id
SubnetBPrivate:
Type: AWS::EC2::Subnet::Id
SubnetCPrivate:
Type: AWS::EC2::Subnet::Id
Resources:
ProxyTargetGroup:
Type: AWS::RDS::DBProxyTargetGroup
Properties:
DBProxyName: !Ref DBProxy
DBClusterIdentifiers: [!Ref AuroraDBCluster]
TargetGroupName: default
ConnectionPoolConfigurationInfo:
MaxConnectionsPercent: 100
MaxIdleConnectionsPercent: 50
ConnectionBorrowTimeout: 120
DBProxy:
Type: AWS::RDS::DBProxy
Properties:
Auth:
- {AuthScheme: SECRETS, SecretArn: !Ref DBSecret, IAMAuth: DISABLED}
DBProxyName: ggggg-dbproxy
DebugLogging: true
EngineFamily: POSTGRESQL
IdleClientTimeout: 30
RequireTLS: true
RoleArn: !GetAtt DBProxyRole.Arn
VpcSecurityGroupIds:
- !Ref ClusterSecurityGroup
VpcSubnetIds:
- !Ref SubnetAPublic
- !Ref SubnetAPrivate
- !Ref SubnetBPrivate
- !Ref SubnetCPrivate
DBProxyRole:
Type: AWS::IAM::Role
Properties:
RoleName: dbproxyRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- rds.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AccessSecretAndKMS
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "${DBSecret}"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.${AWS::Region}.amazonaws.com"
}
}
}
]
}
我试过你的代码,但还是会出现同样的“错误”
我必须将小改动“EngineFamily:POSTGRESQL”更改为“EngineFamily:Mysql”
我遇到了同样的问题,CF 堆栈在 UPDATE_IN_PROGRESS 中卡住了 2 小时。我的问题是我没有在关联的入口安全组规则上指定 CidrIp 属性。 Docs 说这不是必需的,但确实如此。规则从未创建,CF 也没有通知我。
创建入口规则为我解决了 DBProxyTargetGroup 问题。