AWS CloudFormation: Unable to find existing SG to assign to RDS instance

Question

Created and exported a SG from one template/stack:

  Resources
    RDSSecurityGroup:
      Type: AWS::EC2::SecurityGroup
      Properties:
        GroupName: "sg-name" 

  Outputs:
    SGRDS:
      Description: security group of rds instances
      Value: !Ref RDSSecurityGroup
      Export:
        Name: SGRDS

However, although the export is created when trying to use this SG in an RDS creation using another template (and stack)

 Resources
   MYRDS: 
     Type: AWS::RDS::DBInstance
       Properties: 
       DBSecurityGroups:
        - !ImportValue SGRDS

it fails with the following error:

DBSecurityGroup not found: sg-0983409kdje5999

Update: This does not seem to be a problem related to the exported value; assigning the specific SG to my RDS instance for some reason fails either way (I explicitly used the SG name, but I get the above "not found" error with the name instead of the id this time).

For some reason it fails to find the SG.

Answer 1

Since you are using AWS::EC2::SecurityGroup, you need to use the property VPCSecurityGroups to specify your imported security group instead of using DBSecurityGroups. It fails because the SG you've specified is not a DBSecurityGroup.

There are two ways to set security groups for an RDS instance which is described here:

1. DBsecurityGroups : Security group of type AWS::RDS::DBSecurityGroup. This was the older way of securing RDS instances.

2. VPCSecurityGroups: Security group of type AWS::EC2::SecurityGroup which allows you to specify VPC security groups to secure your RDS instance.