问题描述
我需要使用私有子网创建 VPC + RDS Postgres DB + RDS 代理,我正在使用无服务器的 CloudFormation 设置所有内容。
我可以配置除 RDS 代理之外的所有内容,当我运行 serverless deploy 时,部署在创建 Target group 时挂起并最终显示超时错误。
这是我在 AWS 控制台中看到的,即使我手动完成整个过程:
当我运行 aws rds describe-db-proxy-targets --db-proxy-name so-proxy-rds-db-proxy 时,这是我得到的:
{
"Targets": [
{
"Endpoint": "so-proxy-rds-db.csy8ozys6dtv.us-west-2.rds.amazonaws.com","RdsResourceId": "so-proxy-rds-db","Port": 5432,"Type": "RDS_INSTANCE","Role": "READ_WRITE","TargetHealth": {
"State": "UNAVAILABLE","Reason": "AUTH_FAILURE","Description": "Proxy does not have any registered credentials"
}
}
]
}
但是我可以在 Secrets Manager 中看到它们。这是可重现的配置:
service: so-proxy-rds
frameworkVersion: "=2.49.0"
variablesResolutionMode: 20210326
configValidationMode: error
provider:
name: aws
runtime: nodejs14.x
region: us-west-2
versionFunctions: false
memorySize: 1024
timeout: 30
resources:
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnablednsSupport: true
EnablednsHostnames: true
Tags:
- Key: Name
Value: vpc
PrivatesubnetA:
Type: AWS::EC2::subnet
Properties:
VpcId:
Ref: VPC
CidrBlock: 10.0.2.0/24
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
Tags:
- Key: Name
Value: private-A
PrivatesubnetB:
Type: AWS::EC2::subnet
Properties:
VpcId:
Ref: VPC
CidrBlock: 10.0.3.0/24
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
Tags:
- Key: Name
Value: private-B
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
Tags:
- Key: Name
Value: private
PrivatesubnetARouteTableAssociation:
Type: AWS::EC2::subnetRouteTableAssociation
Properties:
subnetId:
Ref: PrivatesubnetA
RouteTableId:
Ref: PrivateRouteTable
PrivatesubnetbrouteTableAssociation:
Type: AWS::EC2::subnetRouteTableAssociation
Properties:
subnetId:
Ref: PrivatesubnetB
RouteTableId:
Ref: PrivateRouteTable
OpenSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: 'Open firewall'
GroupName: ${self:service}-open
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
IpProtocol: "-1"
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: "-1"
VpcId:
Ref: VPC
DBsubnetGroup:
Type: AWS::RDS::DBsubnetGroup
Properties:
DBsubnetGroupDescription: DB subnet group
subnetIds:
- Ref: PrivatesubnetA
- Ref: PrivatesubnetB
PostgresDB:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: db
dbname: test_db
AllocatedStorage: 20
DBInstanceClass: db.t2.micro
DBsubnetGroupName:
Ref: DBsubnetGroup
Engine: postgres
EngineVersion: 11.12 # only up to version 11 supports proxy
MasterUsername: test_user
MasterUserPassword: test_pass
PubliclyAccessible: false
VPCSecurityGroups:
- Ref: OpenSecurityGroup
DeletionPolicy: Delete
ProxySecretValues:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: proxy-secrets
SecretString: '{"username":"test_user","password":"test_pass"}'
DBProxy:
Type: AWS::RDS::DBProxy
Properties:
DBProxyName: db-proxy
EngineFamily: POSTGREsql
RoleArn:
Fn::GetAtt:
- DBProxyRole
- Arn
Auth:
- AuthScheme: SECRETS
IAMAuth: disABLED
SecretArn:
Ref: ProxySecretValues
VpcsubnetIds:
- Ref: PrivatesubnetA
- Ref: PrivatesubnetB
VpcSecurityGroupIds:
- Ref: OpenSecurityGroup
DBProxyTargetGroup:
Type: "AWS::RDS::DBProxyTargetGroup"
Properties:
DBInstanceIdentifiers:
- Ref: PostgresDB
DBProxyName:
Ref: DBProxy
TargetGroupName: default
DBProxyRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "rds.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- Ref: DBProxyPolicy
RoleName: db-proxy-role
DBProxyPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: db-proxy-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "secretsmanager:*"
Resource: '*'
- Effect: Allow
Action:
- "kms:*"
Resource: '*'
非常感谢任何帮助,谢谢。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)