问题描述
我已经将aurora集群和一个数据库实例(Postgresql 11.8)和一个代理部署为AWS。当我尝试添加以下代码的代理目标组时,部署需要一个小时,并在2小时后超时。我已经附上了屏幕截图。如果我通过AWS控制台手动添加目标组,效果很好。我想知道我的配置有什么问题吗?
ProxyTargetGroup:
Type: AWS::RDS::DBProxyTargetGroup
Properties:
DBProxyName: !Ref DBProxy
DBClusterIdentifiers: [!Ref auroraDBCluster]
TargetGroupName: default
ConnectionPoolConfigurationInfo:
MaxConnectionsPercent: 100
MaxIdleConnectionsPercent: 50
ConnectionBorrowTimeout: 120
DBProxy:
Type: AWS::RDS::DBProxy
Properties:
Auth:
- {AuthScheme: SECRETS,SecretArn: !Ref DBSecret,IAMAuth: required}
DBProxyName: ${self:provider.stackName}-dbproxy
DebugLogging: true
EngineFamily: POSTGREsql
IdleClientTimeout: 30
RequireTLS: true
RoleArn: !GetAtt DBProxyRole.Arn
VpcSecurityGroupIds:
- !Ref ClusterSecurityGroup
VpcsubnetIds:
- !Ref subnetAPublic
- !Ref subnetAPrivate
- !Ref subnetBPrivate
- !Ref subnetCPrivate
DBProxyRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:provider.stackName}-dbproxyRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- rds.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: ${self:provider.stackName}-dbproxyPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
- secretsmanager:GetResourcePolicy
- secretsmanager:DescribeSecret
- secretsmanager:ListSecretVersionIds
Resource:
- "arn:aws:secretsmanager:${opt:region}:${self:provider.accountId}:secret:${opt:stage}/${self:service.name}/auroraUserSecret"
- Effect: Allow
Action:
- kms:*
Resource: 'arn:aws:kms:${opt:region}:${self:provider.accountId}:key/*'
ClusterSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow traffic to client host
VpcId:
Ref: VPC
SecurityGroupIngress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
当cloudformation显示update in progress时,我可以看到目标组已添加并且可用。但是cloudformation一直显示in progress,直到超时为止。
解决方法
我尝试使用自己的Aurora集群重新创建问题。我不得不填写很多空白,因为问题中只提供了一些点滴。
曾经,我没有问题,使用固定角色创建代理。我使用的完整模板如下:
Parameters:
AuroraDBCluster:
Type: String
Default: database-22
DBSecret:
Type: String
Default: arn:aws:secretsmanager:us-east-1:xxxxxxx:secret:postgres-wCBBqC
ClusterSecurityGroup:
Type: AWS::EC2::SecurityGroup::Id
Default: sg-0f52f72631fa40b56
SubnetAPublic:
Type: AWS::EC2::Subnet::Id
SubnetAPrivate:
Type: AWS::EC2::Subnet::Id
SubnetBPrivate:
Type: AWS::EC2::Subnet::Id
SubnetCPrivate:
Type: AWS::EC2::Subnet::Id
Resources:
ProxyTargetGroup:
Type: AWS::RDS::DBProxyTargetGroup
Properties:
DBProxyName: !Ref DBProxy
DBClusterIdentifiers: [!Ref AuroraDBCluster]
TargetGroupName: default
ConnectionPoolConfigurationInfo:
MaxConnectionsPercent: 100
MaxIdleConnectionsPercent: 50
ConnectionBorrowTimeout: 120
DBProxy:
Type: AWS::RDS::DBProxy
Properties:
Auth:
- {AuthScheme: SECRETS,SecretArn: !Ref DBSecret,IAMAuth: DISABLED}
DBProxyName: ggggg-dbproxy
DebugLogging: true
EngineFamily: POSTGRESQL
IdleClientTimeout: 30
RequireTLS: true
RoleArn: !GetAtt DBProxyRole.Arn
VpcSecurityGroupIds:
- !Ref ClusterSecurityGroup
VpcSubnetIds:
- !Ref SubnetAPublic
- !Ref SubnetAPrivate
- !Ref SubnetBPrivate
- !Ref SubnetCPrivate
DBProxyRole:
Type: AWS::IAM::Role
Properties:
RoleName: dbproxyRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- rds.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AccessSecretAndKMS
PolicyDocument: !Sub |
{
"Version": "2012-10-17","Statement": [
{
"Sid": "VisualEditor0","Effect": "Allow","Action": "secretsmanager:GetSecretValue","Resource": "${DBSecret}"
},{
"Sid": "VisualEditor1","Action": "kms:Decrypt","Resource": "*","Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.${AWS::Region}.amazonaws.com"
}
}
}
]
}
我已经尝试过你的代码,但同样的“错误”会出现
我必须把小改动“EngineFamily: POSTGRESQL”改成“EngineFamily: Mysql”
,我遇到了同样的问题,即 CF 堆栈卡在 UPDATE_IN_PROGRESS 中 2 小时。我的问题是我没有在关联的入口安全组规则上指定 CidrIp 属性。 Docs 说它不是必需的,但它是。规则从未创建,CF 也没有通知我。
创建入口规则为我解决了 DBProxyTargetGroup 问题。