search

wallix / awless

A Mighty CLI for AWS
http://awless.io/
Apache License 2.0
4.97k stars 263 forks source link

InvalidParameterValue: Some input subnets in :[10.0.10.0/24] are invalid. #175

Closed skloeckner-inc closed 6 years ago

skloeckner-inc commented 6 years ago

I get the following error when running a template. It seems to fail when creating a security group for the database.


$ ./m2-deploy-docker-rds.sh 
[info]    Dry running template ...
vpc = create vpc cidr=10.0.0.0/16 name=magento2-vpc
igw = create internetgateway
attach internetgateway id=$igw vpc=$vpc
subnet = create subnet cidr=10.0.0.0/24 name=magento2-subnet vpc=$vpc
update subnet id=$subnet public=true
routetable = create routetable vpc=$vpc
attach routetable id=$routetable subnet=$subnet
create route cidr=0.0.0.0/0 gateway=$igw table=$routetable
secgroup = create securitygroup description='authorize http/s from internet' name=magento-secgroup vpc=$vpc
update securitygroup cidr=0.0.0.0/0 id=$secgroup inbound=authorize portrange=443 protocol=tcp
update securitygroup cidr=0.0.0.0/0 id=$secgroup inbound=authorize portrange=80 protocol=tcp
sshsecgroup = create securitygroup description='authorize ssh from origin IP' name=ssh-whitelist vpc=$vpc
update securitygroup cidr=$MY_IP/32 id=$sshsecgroup inbound=authorize portrange=22 protocol=tcp
dbsec = create securitygroup description='authorize mysql port 3306 from private subnets' name=magento2-db-secgroup vpc=$vpc
update securitygroup cidr=10.0.0.0/24 id=$dbsec inbound=authorize portrange=3306 protocol=tcp
dbsub = create dbsubnetgroup description='subnet for magento2 database' name=magento2-dbsubnet subnets=10.0.10.0/24
create database dbname=magento2 engine=mariadb id=m2-database password=supersecret size=8 subnetgroup=$dbsub type=db.t2.micro username=user vpcsecuritygroups=$dbsec

Confirm? [y/N] y
[info]    OK create vpc (vpc-e2ae629b) 
[info]    OK create internetgateway (igw-9421e7f2) 
[info]    OK attach internetgateway
[info]    OK create subnet (subnet-89a18dc1) 
[info]    OK update subnet
[info]    OK create routetable (rtb-994f56e0) 
[info]    OK attach routetable (rtbassoc-8e553df5) 
[info]    OK create route
[info]    OK create securitygroup (sg-a2f7a6de) 
[info]    OK update securitygroup
[info]    OK update securitygroup
[info]    OK create securitygroup (sg-43f2a33f) 
[info]    OK update securitygroup
[info]    OK create securitygroup (sg-32f5a44e) 
[info]    OK update securitygroup
[info]    KO create dbsubnetgroup
        InvalidParameterValue: Some input subnets in :[10.0.10.0/24] are invalid.
        status code: 400, request id: 73bb3dab-9335-4bcf-bac4-6c679dfb7d4d

[info]    Revert this template with `awless revert 01C2Z418ZE2JECM5KDW9NVJP01`

I believe 10.0.10.0/24 falls into 10.0.0.0/16.

Template is here:

# Title: Magento 2 deployment templates for awless.io
# Tags: infra

# VPC and its Internet gateway
vpc = create vpc cidr=10.0.0.0/16 name=magento2-vpc
igw = create internetgateway
attach internetgateway id=$igw vpc=$vpc

# Subnet and its route table
subnet = create subnet cidr=10.0.0.0/24 vpc=$vpc name=magento2-subnet
update subnet id=$subnet public=true
routetable = create routetable vpc=$vpc
attach routetable subnet=$subnet id=$routetable
create route cidr=0.0.0.0/0 gateway=$igw table=$routetable

# Create 2 security groups and authorize access from the Internet for port 80 and 443
secgroup = create securitygroup vpc=$vpc description="authorize http/s from internet" name=magento-secgroup
update securitygroup id=$secgroup inbound=authorize protocol=tcp cidr=0.0.0.0/0 portrange=443
update securitygroup id=$secgroup inbound=authorize protocol=tcp cidr=0.0.0.0/0 portrange=80

sshsecgroup = create securitygroup vpc=$vpc description="authorize ssh from origin IP" name=ssh-whitelist
update securitygroup id=$sshsecgroup inbound=authorize protocol=tcp cidr={myip}/32 portrange=22

###############

# Create database security group (authorize access from private subnet to port 3306)
dbsec = create securitygroup name=magento2-db-secgroup vpc=$vpc description="authorize mysql port 3306 from private subnets"
update securitygroup id=$dbsec inbound=authorize cidr=10.0.0.0/24 portrange=3306

# Expose MariaDB database to subnet for magento instance
dbsub = create dbsubnetgroup name=magento2-dbsubnet description="subnet for magento2 database" subnets=10.0.10.0/24
create database engine=mariadb id=m2-database password={dbpassword} size=8 type=db.t2.micro username={dbusername} dbname={dbname} subnetgroup=$dbsub vpcsecuritygroups=$dbsec
fxaguessy commented 6 years ago

Hello, If you read the documentation of the create dbsubnetgroup command (awless create dbsubnetgroup -h) you will see that the parameter subnets expect EC2 Subnet IDs and not CIDRs.

In your example, you might want use the subnet created before:

dbsub = create dbsubnetgroup name=magento2-dbsubnet description="subnet for magento2 database" subnets=[$subnet]

but if I remember well, you may need at least 2 existing subnets to create a dbsubnetgroup (for example subnets=[$subnet1,$subnet2]).

See a full example for example in this awless template.

skloeckner-inc commented 6 years ago

Yes, you were correct. The last 2 lines needed to look like this:

# Create Mysql in subnetgroup and database for magento instance
dbsub = create dbsubnetgroup name=magento2-dbsubnet description="subnet for magento2 database" subnets=[$privsubnet1, $privsubnet2]
create database engine=mysql id={dbname} password={dbpassword} size=8 type=db.t2.micro username={dbusername} dbname={dbname} subnetgroup=$subnet vpcsecuritygroups=$dbsec subnetgroup=$dbsub

Here's the updated version of the template I am using where az1 is a region availability zone, IE, us-west-2a and us-west-2b:

# Title: Magento 2 deployment templates for awless.io
# Tags: infra

# VPC and its Internet gateway
vpc = create vpc cidr=10.0.0.0/16 name=magento2-vpc
igw = create internetgateway
attach internetgateway id=$igw vpc=$vpc

# Subnet and its route table
subnet = create subnet cidr=10.0.0.0/24 vpc=$vpc name=magento2-subnet
update subnet id=$subnet public=true
routetable = create routetable vpc=$vpc
attach routetable subnet=$subnet id=$routetable
create route cidr=0.0.0.0/0 gateway=$igw table=$routetable

# Create 2 security groups and authorize access from the Internet for port 80 and 443
secgroup = create securitygroup vpc=$vpc description="authorize http/s from internet" name=public-http-secgroup
update securitygroup id=$secgroup inbound=authorize protocol=tcp cidr=0.0.0.0/0 portrange=443
update securitygroup id=$secgroup inbound=authorize protocol=tcp cidr=0.0.0.0/0 portrange=80

sshsecgroup = create securitygroup vpc=$vpc description="authorize ssh from origin IP" name=ssh-whitelist
update securitygroup id=$sshsecgroup inbound=authorize protocol=tcp cidr={myip}/32 portrange=22

###############

# Two private subnet to constitute the dbsubnetgroup hosting the DB
privsubnet1 = create subnet cidr=10.0.11.0/24 vpc=$vpc name=mysql-priv-subnet1 availabilityzone={az1}
privsubnet2 = create subnet cidr=10.0.12.0/24 vpc=$vpc name=mysql-priv-subnet2 availabilityzone={az2}

# Create database security group (authorize access from private subnet to port 3306)
dbsec = create securitygroup name=m2-db-secgroup vpc=$vpc description="authorize mysql port 3306 from private subnets"
update securitygroup id=$dbsec inbound=authorize protocol=tcp cidr=10.0.11.0/24 portrange=3306
update securitygroup id=$dbsec inbound=authorize protocol=tcp cidr=10.0.12.0/24 portrange=3306
update securitygroup id=$dbsec inbound=authorize protocol=tcp cidr={myip}/32 portrange=3306

# Create Mysql in subnetgroup and database for magento instance
dbsub = create dbsubnetgroup name=magento2-dbsubnet description="subnet for magento2 database" subnets=[$privsubnet1, $privsubnet2]
create database engine=mysql id={dbname} password={dbpassword} size=8 type=db.t2.micro username={dbusername} dbname={dbname} subnetgroup=$subnet vpcsecuritygroups=$dbsec subnetgroup=$dbsub