I want to create a db security group before creating an RDS instance using Ansible. There is a module for called ec2_group which creates security groups for VPC but I want to create security group for the DB instance only.
Is there a separate module for it or do I have to use the ec2_group module to create a DB security group?
Also, if I'm wrong correct me! The EC2 security group and DB security group are 2 different things right?
I'm afraid there is no Ansible module for that.
DB SG and VPC SG are indeed different things: you create DB SG and allow traffic flow from one of VPC SGs.
If you need to automate DB SG creation, your option is aws cli.
Use local commands aws rds create-db-security-group and aws rds authorize-db-security-group-ingress with Ansible command module.
I submitted a PR last year to add 2 AWS modules : boto3 and boto3_wait.
These 2 modules allow you to interact with AWS API using boto3.
For instance, you could create a DB security group by calling create_db_security_group and authorize_db_security_group_ingress methods on RDS service :
- name: Create DB security group
boto3:
name: rds
region: us-east-1
operation: create_db_security_group
parameters:
DBSecurityGroupName: mydbsecuritygroup
DBSecurityGroupDescription: My DB security group
- name: Authorize IP range
boto3:
name: rds
region: us-east-1
operation: authorize_db_security_group_ingress
parameters:
DBSecurityGroupName: mydbsecuritygroup
CIDRIP: 203.0.113.5/32
If you're interrested by this feature, feel free to vote up on the PR. :)
Related
I'm trying to create an AWS RDS using CLI, usually I create it using AWS Console. When I try to create an RDS instance, I saw these 2 parameters:
--db-security-groups
--vpc-security-group-ids
What is the difference between these 2 values? I couldn't find a value related to --db-security-groups via the console. These are the definitions that AWS provides in the documentation:
--db-security-groups (list)
A list of DB security groups to associate with this DB instance.
Default: The default DB security group for the database engine.
--vpc-security-group-ids (list)
A list of Amazon EC2 VPC security groups to associate with this DB
instance.
Amazon Aurora Not applicable. The associated list of EC2 VPC security
groups is managed by the DB cluster.
Default: The default EC2 VPC security group for the DB subnet group's
VPC.
I still couldn't understand, what is the difference. Or is there any security group specific to DB only?
This is explained in AWS docs:
DB security groups are used with DB instances that are not in a VPC and on the EC2-Classic platform.
These days you would use only vpc-security-group-ids, unless you have old aws account.
The detailed comparison is also in [the docs](DB security groups vs. VPC security groups):
DB security groups vs. VPC security groups
In AWS, I'm creating a Read Replica DB, using the actions option in the console UI.
Source information -
region/az: us-west-2b
Destination information -
region: us-east-2
I have 2 VPCs in the east-2 region, but only one of them shows up in the drop-down list for the DB target. [in addition to the default VPC] .
It appears both VPCs are setup the same, so I'm not sure why only one would show.
Any thoughts?
I was mistakingly thinking the drop-down list was for VPCs.
The VPCs aren't listed as a target - it's a 'DB Subnet group' that is created, and allows the connection to the VPC.
The DB subnet group needs to be created prior to creating the DB read replica.
When setting up an Aurora DB POC, this was done automatically, so the original VPC had an entry in the list.
I describe my scenario which is not like the one described here Unable to add Ec2 VPC Security group in Non VPC RDS MySQL Security group? or here Adding Spot Instances to the Security Group of an RDS Instance:
I have a fleet of spots in a ec2 vpc and I want to give you access to a rds data base that is in ec2 classic. Just like the second link, my spots are renewed from time to time and I have to be able to add the ip of the lawnched machine to the security group of the rds instance.
The configuration from the console is possible and works fine, just go to the security group of your rds instance and add a rule with a CIDR/IP.
But by doing so by cli with this command:
aws rds authorize-db-security-group-ingress --db-security-group-name default --cidrip xxx.xx.x.xxx/32
I get this error:
HTTPSConnectionPool(host='ec2.eu-west-1c.amazonaws.com', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<botocore.awsrequest.AWSHTTPSConnection object at 0x__________>: Failed to establish a new connection: Errno -2] Name or service not known',))
Details
I created an IAM user with this Permissions boundary: AuthorizeDBSecurityGroupIngress
Both spots vpc and rds ec2 classic instances are in the same eu-west-1c availability zone.
In the documentation of the command don't specify specifically that you can't do https://docs.aws.amazon.com/cli/latest/reference/rds/authorize-db-security-group-ingress.html. Also it would be strange that it can be done from the console and not from the cli.
I don't know what I'm missing, any ideas?
There's another way of using Security Groups, instead of using an IP, you use a security group ID.
For example:
You create a new security group, let's call it "MySpecialSG". Don't add any rules to this SG.
Then create a new SG, let's call it "Allow my Other SG". Now you will add an inbound rule, but instead of using IPs, you will use "MySpecialSG" group ID and the port you need.
This last SG is the one that you will assign to your DB instance.
I've finally solved the problem. The solution was that I was not adding the IAM user credentials with the access policy necessary to perform that action.
To use aws cli through the user-data of the instance you have to export the credentials of that IAM user as environment variables.
Info:
Policies for the classic link
Credentials export
I want to allow CodeBuild to run my database migrations. I am configuring my CodeBuild project to be in the VPC and subnet of my RDS. But what do I put for security group? Is this security group to allow/deny access to my CodeBuild? Or should I understand it as the security group I want my CodeBuild to access?
Quote from CodeBuild doc:
"For Security Groups, choose the security groups that AWS CodeBuild uses to allow access to resources in the VPCs."
Learn more about using VPC with CodeBuild: https://docs.aws.amazon.com/codebuild/latest/userguide/vpc-support.html
I am trying to access an RDS database in a VPC from elastic beanstalk. I tried adding the vpcgroup to the the security group list for elastic beanstalk, which works for a regular ec2 instance, but when I try to do this for the elastic beanstalk security group I get the following error message:
Could not update your security group rules (No changes were made): You may not define rules between a VPC group and a non-VPC group
I have also tried adding the existing security group I use for ec2, which can access the RDS database, to the elastic beanstalk instance, but when I do that it says the security group does not exist. How can I make it so that the elastic beanstalk instance has access to my RDS database? Alternatively, what do I need to put in the config.yml file so that it starts out with my prexisting security group that already has access to the RDS database / VPC?
Security groups are specific to a VPC. It appears that your Elastic Beanstalk environment is in EC2 classic instead of a VPC. The quick solution is to enable Classic Link. The more long-term solution is to rebuild your Elastic Beanstalk environment in your VPC.
To start the instance in an existing vpc you need to add the vpc and subnet to a .config file in .ebextensions. For example:
option_settings:
- namespace: aws:ec2:vpc
option_name: VPCId
value: vpc-IDhere
- namespace: aws:ec2:vpc
option_name: Subnets
value: subnet-IDhere