未能为RDS Aurora postgresql部署“`ProxyTargetGroup`”

Question

我已经将Aurora集群和db实例(postgresql 11.8)和代理部署为AWS。当我试图添加如下代码的代理目标组时，部署需要一个小时，并在2小时内超时。我已经附上了截图。如果我通过AWS控制台手动添加目标组，它可以正常工作。我想知道我的配置有什么问题吗？

ProxyTargetGroup:
    Type: AWS::RDS::DBProxyTargetGroup
    Properties:
      DBProxyName: !Ref DBProxy
      DBClusterIdentifiers: [!Ref AuroraDBCluster]
      TargetGroupName: default
      ConnectionPoolConfigurationInfo:
          MaxConnectionsPercent: 100
          MaxIdleConnectionsPercent: 50
          ConnectionBorrowTimeout: 120

​

​

DBProxy:
    Type: AWS::RDS::DBProxy
    Properties: 
      Auth:
        - {AuthScheme: SECRETS, SecretArn: !Ref DBSecret, IAMAuth: REQUIRED}
      DBProxyName: ${self:provider.stackName}-dbproxy 
      DebugLogging: true
      EngineFamily: POSTGRESQL
      IdleClientTimeout: 30
      RequireTLS: true
      RoleArn: !GetAtt DBProxyRole.Arn
      VpcSecurityGroupIds:
        - !Ref ClusterSecurityGroup
      VpcSubnetIds:
        - !Ref SubnetAPublic
        - !Ref SubnetAPrivate
        - !Ref SubnetBPrivate
        - !Ref SubnetCPrivate
DBProxyRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: ${self:provider.stackName}-dbproxyRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - rds.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: ${self:provider.stackName}-dbproxyPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - secretsmanager:GetSecretValue
                  - secretsmanager:GetResourcePolicy
                  - secretsmanager:DescribeSecret
                  - secretsmanager:ListSecretVersionIds
                Resource:
                  - "arn:aws:secretsmanager:${opt:region}:${self:provider.accountId}:secret:${opt:stage}/${self:service.name}/AuroraUserSecret"

              - Effect: Allow
                Action:
                  - kms:*
                Resource: 'arn:aws:kms:${opt:region}:${self:provider.accountId}:key/*'
ClusterSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow traffic to client host
      VpcId:
        Ref: VPC
      SecurityGroupIngress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0

当cloudformation显示update in progress时，我可以看到目标组是添加和可用的。但是cloudformation一直显示in progress，直到超时。

Answer 1

我尝试使用我自己的Aurora集群重新创建问题。我不得不填写许多空白，因为问题中只提供了几个零碎。

无论何时，我在上都没有遇到用固定角色创建代理的问题。我使用过的完整模板如下：

Parameters:

  AuroraDBCluster:
    Type: String
    Default: database-22

  DBSecret:
    Type: String
    Default: arn:aws:secretsmanager:us-east-1:xxxxxxx:secret:postgres-wCBBqC   

  ClusterSecurityGroup:
    Type: AWS::EC2::SecurityGroup::Id
    Default: sg-0f52f72631fa40b56

  SubnetAPublic:
    Type: AWS::EC2::Subnet::Id

  SubnetAPrivate:
    Type: AWS::EC2::Subnet::Id

  SubnetBPrivate:
    Type: AWS::EC2::Subnet::Id

  SubnetCPrivate:
    Type: AWS::EC2::Subnet::Id


Resources:

  ProxyTargetGroup:
    Type: AWS::RDS::DBProxyTargetGroup
    Properties:
      DBProxyName: !Ref DBProxy
      DBClusterIdentifiers: [!Ref AuroraDBCluster]
      TargetGroupName: default
      ConnectionPoolConfigurationInfo:
          MaxConnectionsPercent: 100
          MaxIdleConnectionsPercent: 50
          ConnectionBorrowTimeout: 120


  DBProxy:
    Type: AWS::RDS::DBProxy
    Properties: 
      Auth:
        - {AuthScheme: SECRETS, SecretArn: !Ref DBSecret, IAMAuth: DISABLED}
      DBProxyName: ggggg-dbproxy 
      DebugLogging: true
      EngineFamily: POSTGRESQL
      IdleClientTimeout: 30
      RequireTLS: true
      RoleArn: !GetAtt DBProxyRole.Arn
      VpcSecurityGroupIds:
        - !Ref ClusterSecurityGroup
      VpcSubnetIds:
        - !Ref SubnetAPublic
        - !Ref SubnetAPrivate
        - !Ref SubnetBPrivate
        - !Ref SubnetCPrivate

  DBProxyRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: dbproxyRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - rds.amazonaws.com
            Action: sts:AssumeRole
      Policies:
          - PolicyName: AccessSecretAndKMS
            PolicyDocument: !Sub |
              {
                  "Version": "2012-10-17",
                  "Statement": [
                      {
                          "Sid": "VisualEditor0",
                          "Effect": "Allow",
                          "Action": "secretsmanager:GetSecretValue",
                          "Resource": "${DBSecret}"
                      },
                      {
                          "Sid": "VisualEditor1",
                          "Effect": "Allow",
                          "Action": "kms:Decrypt",
                          "Resource": "*",
                          "Condition": {
                              "StringEquals": {
                                  "kms:ViaService": "secretsmanager.${AWS::Region}.amazonaws.com"
                              }
                          }
                      }
                  ]
              }

Answer 2

我也遇到了同样的问题，CF堆栈被卡在UPDATE_IN_PROGRESS中2个小时。我的问题是，我没有在关联的入口安全组规则上指定CidrIp属性。文档说它不是必需的，但它是必需的。规则从未制定，CF也没有通知我。

创建入口规则为我解决了DBProxyTargetGroup问题。

Answer 3

我已经尝试过您的代码，但同样的“错误”也会出现。

我必须将"EngineFamily: POSTGRESQL“更改为"EngineFamily: Mysql”。