Cloud Formation AWS Security Problem
Using AWS CloudFormation YAML to create resource stack with EC2, etc and RDS database. Have specific issue with reference Member constraint on SecurityGroup.
Member must satisfy constraint: Member must have length less than or equal to 204, Member must have length greater than or equal to 10. What is this error specifically referring to to fix the member constraint? I’ve looked carefully and don’t see what I have in error.
Template Error
Member must satisfy constraint: Member must have length less than or equal to 204, Member must have length greater than or equal to 10
CloudFormation stack error is referencing SecurityGroup at ‘typeNameList’, but I not exactly sure where this ‘typeNameList’ is in error in my script.
CloudFormation Script Error Message
1 validation error detected: Value '[AWS::EC2::RouteTable,
AWS::S3::BucketPolicy, AWS::ElasticLoadBalancingV2::Listener,
AWS::EC2::InternetGateway, AWS::ElasticLoadBalancingV2::TargetGroup,
AWS::EC2::Subnet, AWS::EC2::SecurityGroup::Id, AWS::RDS::DBInstance,
AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::EC2::VPC,
AWS::EC2::SubnetRouteTableAssociation,
AWS::EC2::VPCGatewayAttachment, AWS::EC2::Route, AWS::S3::Bucket,
AWS::EC2::Instance, AWS::EC2::SecurityGroup]' at 'typeNameList'
failed to satisfy constraint: Member must satisfy constraint: [Member
must have length less than or equal to 204, Member must have length
greater than or equal to 10, Member must satisfy regular expression
pattern: [A-Za-z0-9]{2,64}::[A-Za-z0-9]{2,64}::[A-Za-z0-9]{2,64}
(::MODULE){0,1}]
CloudFormation Script code
AWSTemplateFormatVersion: 2010-09-09
Parameters:
DBInstance:
Default: DBInstance
Description: My database instance
Type: String
MinLength: '1'
MaxLength: '63'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
DBName:
Default: mydb
Description: My database
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
DBInstanceClass:
Default: db.m5.large
Description: DB instance class
Type: String
DBAllocatedStorage:
Default: '50'
Description: The size of the database (GiB)
Type: Number
MinValue: '20'
MaxValue: '65536'
DBUsername:
Type: String
Description: Master username for the RDS instance
Default: admin
DBPassword:
Type: String
NoEcho: true
Description: Master password for the RDS instance
Default: password
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: VPC
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: VPC Internet Gateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.1.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Public Subnet 1
PrivateSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.2.0/24
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: Private Subnet 1
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.3.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Public Subnet 2
PrivateSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.4.0/24
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: Private Subnet 2
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Public Route Table
PublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnetRouteTableAssociation1:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet1
RouteTableId: !Ref PublicRouteTable
PublicSubnetRouteTableAssociation2:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet2
RouteTableId: !Ref PublicRouteTable
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Private Route Table
PrivateSubnetRouteTableAssociation1:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet1
RouteTableId: !Ref PrivateRouteTable
PrivateSubnetRouteTableAssociation2:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet2
RouteTableId: !Ref PrivateRouteTable
EC2Instance1:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
SecurityGroupIds:
- !Ref EC2SecurityGroup
SubnetId: !Ref PublicSubnet1
KeyName: EC2Instance1
UserData:
Fn::Base64: !Sub |
#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
#echo "<h1>Hello from Region us-east-2b</h1>" > /var/www/html/index.html
S3Bucket:
Type: 'AWS::S3::Bucket'
ELBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: ELB Security Group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 10.0.0.0/24
SSHSecurityGroup:
Type: AWS::EC2::SecurityGroup::Id
Properties:
VpcId: !Ref VPC
GroupDescription: Security group egress
SecurityGroupEgress:
- CidrIp: 127.0.0.1/32
IpProtocol: "-1"
EC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EC2 Security Group
DependsOn: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId:
Fn::GetAtt:
- ELBSecurityGroup
- GroupId
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: 'myBucketV5'
S3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3Bucket
SecurityGroupIds:
- !Ref EC2SecurityGroup
KeyName: S3BucketPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action: 's3:*'
Resource: !Sub 'arn:aws:s3:::${S3Bucket}/*'
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:user/@matthew'
EC2TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 30
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 15
HealthyThresholdCount: 5
Matcher:
HttpCode: '200'
Name: EC2TargetGroup
Port: 80
Protocol: HTTP
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: '20'
Targets:
- Id: !Ref EC2Instance1
Port: 80
UnhealthyThresholdCount: 3
ALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref EC2TargetGroup
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: 80
Protocol: HTTP
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internet-facing
Subnets:
- !Ref PublicSubnet1
- !Ref PublicSubnet2
SecurityGroups:
- !GetAtt ELBSecurityGroup.GroupId
MyRDS:
Type: 'AWS::RDS::DBInstance'
Properties:
DBInstanceIdentifier: !Ref DBInstance
DBName: !Ref DBName
DBInstanceClass: !Ref DBInstanceClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
SecurityGroupIds:
- !Ref EC2SecurityGroup
KeyName: MyRDS
Outputs:
EC2InstanceId:
Description: InstanceId of EC2 instance
Value: !Ref EC2Instance1
S3BucketName:
Description: S3 bucket
Value: !Ref S3Bucket
DBInstanceId:
Description: DBInstanceIdentifier of RDS instance
Value: !Ref DBInstance
2
Answers
Based on the regex in the error the issue is with the type names (lines such as
Type: AWS::EC2::VPC). If you search for lines startingType: 'AWSremove the the single quotes(') at the start and end of the type should fix it.Line 186
SSHSecurityGroup: Type: AWS::EC2::SecurityGroup::IdShould be
SSHSecurityGroup: Type: AWS::EC2::SecurityGroupMoreover, you have two "S3Bucket" declarations, one in line 172 second one in line 212