I am trying to create a read replica in west region for an RDS data base in east through cloud formation template.
I am getting an error:
Cannot create a cross region unencrypted read replica from encrypted source.
However, I have tried to provide kms key id and marked CopyTagsToSnapshot as true . Here is how my cloud formation looks like:
Resources:
MyDB:
Type: AWS::RDS::DBInstance
Properties:
SourceDBInstanceIdentifier: !Ref ReadReplicaURL
AllocatedStorage: !Ref DBAllocatedStorage
CopyTagsToSnapshot: true
DBSubnetGroupName: !Ref DBSubnetGroup
VPCSecurityGroups:
- !Ref DBSG1
KmsKeyId: !Ref DBEncryptionKey
StorageEncrypted: true
DBInstanceClass: !Ref DBInstanceClass
DBInstanceIdentifier: !Ref DBInstanceIdentifier
Iops: !Ref DBIops
MonitoringInterval: !Ref DBMonitoringInterval
Engine: !Ref Engine
MonitoringRoleArn: !Ref DBMonitoringRoleARN
Port: !Ref DBPort
PreferredMaintenanceWindow: !Ref DBPreferredMaintenanceWindow
StorageType: io1
Answer I got from AWS rep:
Unfortunately, creation of encrypted RDS cross-region read replicas is not possible through CloudFormation currently. There is an active feature request to implement this functionality to which I have added your voice. Once the feature is implemented, it will be announced on this page:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html
Related
ERROR:
Properties [AZMode, CacheSubnetGroupName, SecurityGroupIds, PreferredAvailabilityZones, SnapshotArns, SnapshotRetentionLimit, SnapshotWindow, Tags] cannot be specified along with CacheSecurityGroupNames, please update your template to the latest version
Type: AWS::ElastiCache::CacheCluster
Properties:
Engine: redis
AZMode: single-az
EngineVersion: 5.0.6
CacheParameterGroupName: !Ref CacheParameterGroup
ClusterName: !Sub ${SystemName}-${Env}-elasticache
CacheNodeType: !Ref ElasticacheNodeType
NumCacheNodes: "1"
Port: 6379
PreferredMaintenanceWindow: !Ref MaintenanceWindow
PreferredAvailabilityZone: ap-northeast-1a
SnapshotRetentionLimit: !Ref SnapshotRetentionLimit
SnapshotWindow: !Ref SnapshotWindow
CacheSubnetGroupName: !Ref CacheSubnetGroup
CacheSecurityGroupNames:
- Fn::ImportValue: DevElasticacheSG
Whats the reason for above error in cloudformation?
CacheSecurityGroupNames can only be used when your cluster is not in VPC:
Use this parameter only when you are creating a cluster outside of an Amazon Virtual Private Cloud (Amazon VPC).
My guess is that maybe you wanted to use VpcSecurityGroupIds instead.
I want to create a simple rds proxy. I use the attached cloudformation template. However aws cannot create resource "AWS::RDS::DBProxyTargetGroup". The error info is not enough for debugging: "Resource timed out waiting for completion". Please anyone provide me anwser?
Target group was created, but info was not updated in cloudformation event
rds_proxy_console
CF_event
failed event
Resources:
RDSProxy:
Type: "AWS::RDS::DBProxy"
Properties:
Auth:
- AuthScheme: SECRETS
IAMAuth: DISABLED
SecretArn: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretsManagerName}"
DBProxyName: !Ref ProxyName
EngineFamily: !Ref ProxyEngineFamily
RoleArn: !GetAtt SecretsManagerRole.Arn
VpcSecurityGroupIds: !Ref ProxyVpcSecurityGroupIds
VpcSubnetIds: !Ref ProxyVpcSubnetIds
RDSProxyTargetGroup:
Type: "AWS::RDS::DBProxyTargetGroup"
Properties:
DBClusterIdentifiers: !Ref ProxyTargetDBClusterIdentifiers
DBProxyName: !Ref RDSProxy
TargetGroupName: default
I have a Aurora Cluster (Serverless - PostgreSQL) setup in CloudFormation and I want to configure the Log Retention to be around 7 days but I haven't been able to find where to set this setting.
This is my CloudFormation definition for the DBCluster:
AuroraDBCluster:
Type: AWS::RDS::DBCluster
DeletionPolicy: Delete
UpdateReplacePolicy: Delete
Properties:
Engine: aurora-postgresql
EngineMode: serverless
EngineVersion: 10.7
DatabaseName: test-db
DeletionProtection: false
ScalingConfiguration:
AutoPause: True
MaxCapacity: 8
MinCapacity: 2
SecondsUntilAutoPause: 300
VpcSecurityGroupIds:
- !Ref AuroraClusterSecurityGroup
Port: !Ref DBPort
MasterUsername:
!Join ['', ['{{resolve:secretsmanager:', !Ref AuroraMasterSecret, ':SecretString:username}}' ]]
MasterUserPassword:
!Join ['', ['{{resolve:secretsmanager:', !Ref AuroraMasterSecret, ':SecretString:password}}' ]]
DBSubnetGroupName: !Ref DBSubnetGroup
BackupRetentionPeriod: 35
DBClusterParameterGroupName: !Ref RDSDBClusterParameterGroup
StorageEncrypted: true
KmsKeyId: !Ref AuroraKMSCMK
I have created a different LogGroup like this:
AuroraClusterLogGroup:
Type: "AWS::Logs::LogGroup"
Properties:
RetentionInDays: 7
LogGroupName: !Join ["", ["/aws/rds/cluster/", !Ref AuroraDBCluster, /postgresql]]
But when I deploy the stack, it says:
CREATE_FAILED AWS::Logs::LogGroup AuroraClusterLogGroup /aws/rds/cluster/aurora-serverless-db-ufeihfhef74465/postgresql already exists
Because (I think) the AuroraDBCluster resource creates its own LogGroup with the same name.
I have reviewed the AWS::RDS::DBCluster documentation but I have not found any references for the Log Retention.
What can I do in this case?
Thanks!
If Aurora has already created its own log group, you can't change it from CloudFormation. The only way to do this would be use custom resource in your template.
In the custom resource you could use put-retention-policy to modify the retention time of chosen log group.
I've trying to write a CloudFormation to provision a new RDS instance from the point in time snapshot an existing RDS DB.
However, I came to know that you can't specify db-name when you provide a snapshot in CloudFormation template and thus it will always restore it to the original DB.
I have got this article for the same on aws blogs, though I'm looking if there is any out of the box solution for the same.
Edit 1
RDS snippet from my Cloud Formation
Resources:
MyDB:
Type: AWS::RDS::DBInstance
Properties:
DBName: Fn::If ["UseDbSnapshot", !Ref AWS:NoValue, !Ref MyDBName]
DBSecurityGroups:
- !Ref MyDbSecurityByEC2SecurityGroup
- !Ref MyDbSecurityByCIDRIPGroup
AllocatedStorage: 20
DBInstanceClass: db.m1.small
Engine: MySQL
MasterUsername: root
MasterUserPassword: password
DBSnapshotIdentifier: Fn::If ["UseDbSnapshot", !Ref DBSnapshotIdentifier, !Ref AWS::NoValue]
DeletionPolicy: Snapshot
What can I try to fix this?
You have to keep in mind, that a couple of RDS properties (such as MasterUsername) are not customizable when you want to restore from snapshot. The AWS documentation says:
If you specify the SourceDBInstanceIdentifier or DBSnapshotIdentifier property, don't specify this property. The value is inherited from the source DB instance or snapshot.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html
So just omit those parameters like this:
Parameters:
DBSnapshotIdentifier:
Description: 'Optional identifier for the DB cluster snapshot from which you want to restore'
Type: String
Default: ''
Conditions:
HasDBSnapshotIdentifier: !Not [!Equals [!Ref DBSnapshotIdentifier, '']]
Resources:
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
...
DBSnapshotIdentifier: !If [HasDBSnapshotIdentifier, !Ref DBSnapshotIdentifier, !Ref 'AWS::NoValue']
KmsKeyId: !If [HasDBSnapshotIdentifier, !Ref 'AWS::NoValue', !If [HasEncryption, !Ref KmsKey, !Ref 'AWS::NoValue']]
MasterUsername: !If [HasDBSnapshotIdentifier, !Ref 'AWS::NoValue', !Ref MasterUsername]
MasterUserPassword: !If [HasDBSnapshotIdentifier, !Ref 'AWS::NoValue', !Ref MasterPassword]
StorageEncrypted: !If [HasDBSnapshotIdentifier, !Ref 'AWS::NoValue', !If
...
I am playing around with cloudformation and running into an issue with DBSubnetGroup that I cannot get around. My goal is to build a simple setup:
a VPC with two subnets
an RDS database subnet group on those subnets
an RDS database cluster in that db subnet
a single RDS instance in that cluster
In cloudformation, I keep getting an error:
Could not find DB Cluster: MyRDSClusterId (Service: AmazonRDS; Status Code:
404; Error Code: DBClusterNotFoundFault; Request ID: ...)
Everything looks right to me, and cloudformation says my DBCluster was created correctly. What am I doing wrong here? Any insights into what I've done wrong would be greatly appreciated.
Here is my cloudformation template:
AWSTemplateFormatVersion: "2010-09-09"
Description: Stack with DBSubnetGroup, DBCluster, and one DBInstance
Resources:
MyAppVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 192.168.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
MyAppRDSSubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1a
VpcId: !Ref MyAppVPC
CidrBlock: 192.168.0.0/24
MapPublicIpOnLaunch: true
MyAppRDSSubnetB:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1b
VpcId: !Ref MyAppVPC
CidrBlock: 192.168.1.0/24
MapPublicIpOnLaunch: true
MyDBSubnetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: My App DBSubnetGroup for RDS
SubnetIds:
- !Ref MyAppRDSSubnetA
- !Ref MyAppRDSSubnetB
MyRDSCluster:
Type: AWS::RDS::DBCluster
Properties:
BackupRetentionPeriod: 1
DatabaseName: MyDB
DBClusterIdentifier: MyRDSClusterId
DBSubnetGroupName: !Ref MyDBSubnetGroup
Engine: aurora
MasterUsername: exampleUsername
MasterUserPassword: examplePassword
MyRDSInstance:
Type: AWS::RDS::DBInstance
Properties:
DBClusterIdentifier: !Ref MyRDSCluster
DBInstanceClass: db.t2.small
DBSubnetGroupName: !Ref MyDBSubnetGroup
Engine: aurora
Some charcter in your DBClusterIdentifier name is in uppercase.
What cloudformation does is, it automatically convert all uppercase character to lowercase.
Now when you try to attach DBInstances under the DBCluster it is not able to find with the DBClusterIdentifier you have mentioned as it contains some uppercase.
MyRDSCluster:
Type: AWS::RDS::DBCluster
Properties:
BackupRetentionPeriod: 1
DatabaseName: MyDB
DBClusterIdentifier: MyRDSClusterId <- here it converts all string to lowercase
DBSubnetGroupName: !Ref MyDBSubnetGroup
Engine: aurora
MasterUsername: exampleUsername
MasterUserPassword: examplePassword
MyRDSInstance:
Type: AWS::RDS::DBInstance
Properties:
DBClusterIdentifier: !Ref MyRDSCluster <- here it does not, so mismatch in name
DBInstanceClass: db.t2.small
DBSubnetGroupName: !Ref MyDBSubnetGroup
Engine: aurora
Solution is : give DBClusterIdentifier all in lowercase.
I hope you got your Answer :)
I removed the "DBClusterIdentifier" property from my cluster definition and suddenly everything worked. Hope this helps someone else one day.
Now it looks like:
MyRDSCluster:
Type: AWS::RDS::DBCluster
Properties:
BackupRetentionPeriod: 1
DatabaseName: My
DBSubnetGroupName: !Ref MyDBSubnetGroup
Engine: aurora
MasterUsername: exampleUsername
MasterUserPassword: examplePassword
Hope this helps someone else one day.
I have to say, I'm not sure I totally understand why this fixed the issue, and an explanation would be helpful (i have been searching for a while with no luck). Why can't I specify my own DBClusterIdentifier in this template?