I want to allow CodeBuild to run my database migrations. I am configuring my CodeBuild project to be in the VPC and subnet of my RDS. But what do I put for security group? Is this security group to allow/deny access to my CodeBuild? Or should I understand it as the security group I want my CodeBuild to access?
Quote from CodeBuild doc:
"For Security Groups, choose the security groups that AWS CodeBuild uses to allow access to resources in the VPCs."
Learn more about using VPC with CodeBuild: https://docs.aws.amazon.com/codebuild/latest/userguide/vpc-support.html
Related
I'm trying to create an AWS RDS using CLI, usually I create it using AWS Console. When I try to create an RDS instance, I saw these 2 parameters:
--db-security-groups
--vpc-security-group-ids
What is the difference between these 2 values? I couldn't find a value related to --db-security-groups via the console. These are the definitions that AWS provides in the documentation:
--db-security-groups (list)
A list of DB security groups to associate with this DB instance.
Default: The default DB security group for the database engine.
--vpc-security-group-ids (list)
A list of Amazon EC2 VPC security groups to associate with this DB
instance.
Amazon Aurora Not applicable. The associated list of EC2 VPC security
groups is managed by the DB cluster.
Default: The default EC2 VPC security group for the DB subnet group's
VPC.
I still couldn't understand, what is the difference. Or is there any security group specific to DB only?
This is explained in AWS docs:
DB security groups are used with DB instances that are not in a VPC and on the EC2-Classic platform.
These days you would use only vpc-security-group-ids, unless you have old aws account.
The detailed comparison is also in [the docs](DB security groups vs. VPC security groups):
DB security groups vs. VPC security groups
I am trying to restrict access to a load balancer to a fixed IP and to CodeBuild agents. To that end, I want to add a security group rule that will prevent access to the load balancer unless traffic comes from the security group associated with the CodeBuild agents (as well as a separate security group rule that restricts access except from the fixed IP). I think this means I need to associate CodeBuild with the VPC of the load balancer.
However, when I try to update an existing CodeBuild project using Terraform's codebuild_project resourcce and configure the VPC like this:
vpc_config {
security_group_ids = [var.codebuild_sg]
subnets = var.public_subnet_ids
vpc_id = var.vpc_id
}
where the variables are the security group to be used by CodeBuild, the subnets into which CodeBuild should be launched and the VPC, respectively, I get the following error message:
Error updating CodeBuild project
(arn:aws:codebuild:eu-west-2:xxxxx:project/my-project):
InvalidInputException: CodeBuild currently doesn't support VPC in
eu-west-2c, please select subnets in other availability zones.
Are there some AZs for which CodeBuild does not support VPCs? Or does this message mean something else?
Yes, CodeBuild is not available in eu-west-2c. In eu-west-2 region, CodeBuild is only available in 2 AZs (eu-west-2a and eu-west-2b).
I describe my scenario which is not like the one described here Unable to add Ec2 VPC Security group in Non VPC RDS MySQL Security group? or here Adding Spot Instances to the Security Group of an RDS Instance:
I have a fleet of spots in a ec2 vpc and I want to give you access to a rds data base that is in ec2 classic. Just like the second link, my spots are renewed from time to time and I have to be able to add the ip of the lawnched machine to the security group of the rds instance.
The configuration from the console is possible and works fine, just go to the security group of your rds instance and add a rule with a CIDR/IP.
But by doing so by cli with this command:
aws rds authorize-db-security-group-ingress --db-security-group-name default --cidrip xxx.xx.x.xxx/32
I get this error:
HTTPSConnectionPool(host='ec2.eu-west-1c.amazonaws.com', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<botocore.awsrequest.AWSHTTPSConnection object at 0x__________>: Failed to establish a new connection: Errno -2] Name or service not known',))
Details
I created an IAM user with this Permissions boundary: AuthorizeDBSecurityGroupIngress
Both spots vpc and rds ec2 classic instances are in the same eu-west-1c availability zone.
In the documentation of the command don't specify specifically that you can't do https://docs.aws.amazon.com/cli/latest/reference/rds/authorize-db-security-group-ingress.html. Also it would be strange that it can be done from the console and not from the cli.
I don't know what I'm missing, any ideas?
There's another way of using Security Groups, instead of using an IP, you use a security group ID.
For example:
You create a new security group, let's call it "MySpecialSG". Don't add any rules to this SG.
Then create a new SG, let's call it "Allow my Other SG". Now you will add an inbound rule, but instead of using IPs, you will use "MySpecialSG" group ID and the port you need.
This last SG is the one that you will assign to your DB instance.
I've finally solved the problem. The solution was that I was not adding the IAM user credentials with the access policy necessary to perform that action.
To use aws cli through the user-data of the instance you have to export the credentials of that IAM user as environment variables.
Info:
Policies for the classic link
Credentials export
Is there a way I can force users to only select specified VPC security groups when creating an RDS instance? I can do this with DB security groups because there are resource-level permissions available for those, but my users will need VPC security groups and the documentation does not show how to achieve this at the RDS resource level with an IAM policy.
I want to create a db security group before creating an RDS instance using Ansible. There is a module for called ec2_group which creates security groups for VPC but I want to create security group for the DB instance only.
Is there a separate module for it or do I have to use the ec2_group module to create a DB security group?
Also, if I'm wrong correct me! The EC2 security group and DB security group are 2 different things right?
I'm afraid there is no Ansible module for that.
DB SG and VPC SG are indeed different things: you create DB SG and allow traffic flow from one of VPC SGs.
If you need to automate DB SG creation, your option is aws cli.
Use local commands aws rds create-db-security-group and aws rds authorize-db-security-group-ingress with Ansible command module.
I submitted a PR last year to add 2 AWS modules : boto3 and boto3_wait.
These 2 modules allow you to interact with AWS API using boto3.
For instance, you could create a DB security group by calling create_db_security_group and authorize_db_security_group_ingress methods on RDS service :
- name: Create DB security group
boto3:
name: rds
region: us-east-1
operation: create_db_security_group
parameters:
DBSecurityGroupName: mydbsecuritygroup
DBSecurityGroupDescription: My DB security group
- name: Authorize IP range
boto3:
name: rds
region: us-east-1
operation: authorize_db_security_group_ingress
parameters:
DBSecurityGroupName: mydbsecuritygroup
CIDRIP: 203.0.113.5/32
If you're interrested by this feature, feel free to vote up on the PR. :)