amazon-web-servicesaws-cloudformationmemcachedelastic-cache

AWS CloudFormation: unable to create Elastic Cache Cluster


I am deploying my application into the AWS environment. I am creating an Elastic Cache Cluster resource in my template. But when I deployed my template, it is failing to create the Elastic Cache Cluster resource.

This is my template.

 AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
  KeyName:
    Default: 'PatheinDirectory'
    Type: String
  InstanceType:
    Default: 't2.micro'
    Type: String
  SSHLocation:
    Description: The IP address range that can be used to SSH to the EC2 instances
    Type: String
    MinLength: '9'
    MaxLength: '18'
    Default: 0.0.0.0/0
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
    ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x

Mappings:
  Region2Principal:
    us-east-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-west-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-west-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-3:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-southeast-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-3:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-southeast-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-south-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-east-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ca-central-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    sa-east-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    cn-north-1:
      EC2Principal: ec2.amazonaws.com.cn
      OpsWorksPrincipal: opsworks.amazonaws.com.cn
    cn-northwest-1:
      EC2Principal: ec2.amazonaws.com.cn
      OpsWorksPrincipal: opsworks.amazonaws.com.cn
    eu-central-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-north-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com

Resources:
  WebServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for EC2 instances
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp:
            Ref: SSHLocation

  WebServerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - Fn::FindInMap:
                    - Region2Principal
                    - Ref: AWS::Region
                    - EC2Principal
            Action:
              - sts:AssumeRole
      Path: /

  WebServerRolePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: WebServerRole
      PolicyDocument:
        Statement:
          - Effect: Allow
            NotAction: iam:*
            Resource: '*'
      Roles:
        - Ref: WebServerRole

  WebServerInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles:
        - Ref: WebServerRole

  Application:
    Type: AWS::ElasticBeanstalk::Application
    Properties:
      Description: AWS Elastic Beanstalk Pathein Directory Laravel application

  ApplicationVersion:
    Type: AWS::ElasticBeanstalk::ApplicationVersion
    Properties:
      Description: Version 1.0
      ApplicationName:
        Ref: Application
      SourceBundle:
        S3Bucket:
          Fn::Join:
            - '-'
            - - elasticbeanstalk-samples
              - Ref: AWS::Region
        S3Key: php-sample.zip

  ApplicationConfigurationTemplate:
    Type: AWS::ElasticBeanstalk::ConfigurationTemplate
    Properties:
      ApplicationName:
        Ref: Application
      Description: SSH access to Pathein Directory Laravel application
      SolutionStackName: 64bit Amazon Linux 2 v3.1.0 running PHP 7.3
      OptionSettings:
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: EC2KeyName
          Value:
            Ref: KeyName
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: IamInstanceProfile
          Value:
            Ref: WebServerInstanceProfile
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: SecurityGroups
          Value:
            Ref: WebServerSecurityGroup

  Environment:
    Type: AWS::ElasticBeanstalk::Environment
    Properties:
      Description: AWS Elastic Beanstalk Environment running Pathein Directory Laravel application
      ApplicationName:
        Ref: Application
      EnvironmentName: PatheinDirectoryTesting
      TemplateName:
        Ref: ApplicationConfigurationTemplate
      VersionLabel:
        Ref: ApplicationVersion
      OptionSettings:
        - Namespace: aws:elasticbeanstalk:environment
          OptionName: EnvironmentType
          Value: SingleInstance
        - Namespace: aws:elasticbeanstalk:container:php:phpini
          OptionName: document_root
          Value: /public

  ElasticCacheSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable TCP connection on port 6379
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '6379'
          ToPort: '6379'
          SourceSecurityGroupId: !GetAtt WebServerSecurityGroup.GroupId

  ElasticCacheCluster:
    Type: AWS::ElastiCache::CacheCluster
    Properties:
      AZMode: cross-az
      CacheNodeType: cache.t2.small
      Engine: memcached
      NumCacheNodes: '2'
      VpcSecurityGroupIds:
        - !Ref ElasticCacheSecurityGroup
      PreferredAvailabilityZones:
        - !Select
          - 0
          - Fn::GetAZs: !Ref AWS::Region
        - !Select
          - 1
          - Fn::GetAZs: !Ref AWS::Region

This is the error in the log.

 {
            "StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/ec64d370-e7e1-11ea-9dd6-0a1312d0cd8a",
            "EventId": "fdb2e900-e7e1-11ea-9b3d-02e056ab1688",
            "StackName": "patheindirectory",
            "LogicalResourceId": "patheindirectory",
            "PhysicalResourceId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/ec64d370-e7e1-11ea-9dd6-0a1312d0cd8a",
            "ResourceType": "AWS::CloudFormation::Stack",
            "Timestamp": "2020-08-26T21:20:39.812000+00:00",
            "ResourceStatus": "ROLLBACK_IN_PROGRESS",
            "ResourceStatusReason": "The following resource(s) failed to create: [ElasticCacheCluster, WebServerRole]. . Rollback requested by user."
        },
 {
            "StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/ec64d370-e7e1-11ea-9dd6-0a1312d0cd8a",
            "EventId": "ElasticCacheCluster-CREATE_FAILED-2020-08-26T21:20:36.420Z",
            "StackName": "patheindirectory",
            "LogicalResourceId": "ElasticCacheCluster",
            "PhysicalResourceId": "",
            "ResourceType": "AWS::ElastiCache::CacheCluster",
            "Timestamp": "2020-08-26T21:20:36.420000+00:00",
            "ResourceStatus": "CREATE_FAILED",
            "ResourceStatusReason": "Some security group Id not recognized by EC2: securityGroupIds[[patheindirectory-ElasticCacheSecurityGroup-1BYYWJDZOM4TM]], awsAccountId[733553390213] (Service: AmazonElastiCache; Status Code: 40
0; Error Code: InvalidParameterValue; Request ID: 331c0240-bed8-4861-9b92-29603ad2b08c)",
            "ResourceProperties": "{\"CacheNodeType\":\"cache.t2.small\",\"VpcSecurityGroupIds\":[\"patheindirectory-ElasticCacheSecurityGroup-1BYYWJDZOM4TM\"],\"PreferredAvailabilityZones\":[\"eu-west-1a\",\"eu-west-1b\"],\"NumCach
eNodes\":\"2\",\"Engine\":\"memcached\",\"AZMode\":\"cross-az\"}"
        },

How can I fix it?


Solution

  • The VpcSecurityGroupIds should container SG group id, not sg name.

    Thus, you should replace:

          VpcSecurityGroupIds:
            - !Ref ElasticCacheSecurityGroup
    

    with

          VpcSecurityGroupIds:
            - !GetAtt ElasticCacheSecurityGroup.GroupId
    

    Please note that there could be other issues which are not yet apparent. But the above change should fix the error reported in your question.