aws-rds: Failed to create private vpc subnet for ServerlessCluster postgres

[meightythree]

Describe the bug

I can not deploy serverless cluster for postgres, but I can deploy mysql with the same code below.

Expected Behavior

Successful deployment of Serverless cluster for postgres.

Current Behavior

2023-06-24 20:09:12 UTC+0200	stage-stack	
ROLLBACK_COMPLETE
-
2023-06-24 20:09:12 UTC+0200	vpc0110F1D3	
DELETE_COMPLETE
-
2023-06-24 20:09:10 UTC+0200	vpc0110F1D3	
DELETE_IN_PROGRESS
-
2023-06-24 20:09:09 UTC+0200	vpcPrivateSubnet3Subnet075D8A57	
DELETE_COMPLETE
-
2023-06-24 20:09:03 UTC+0200	vpcIGWBF0EF24D	
DELETE_COMPLETE
-
2023-06-24 20:09:02 UTC+0200	vpcIGWBF0EF24D	
DELETE_IN_PROGRESS
-
2023-06-24 20:09:01 UTC+0200	vpcVPCGWFD4CE5D6	
DELETE_COMPLETE
-
2023-06-24 20:08:49 UTC+0200	vpcPrivateSubnet2Subnet4883FE9F	
DELETE_COMPLETE
-
2023-06-24 20:08:49 UTC+0200	vpcPrivateSubnet1Subnet775ED65F	
DELETE_COMPLETE
-
2023-06-24 20:08:48 UTC+0200	vpcPrivateSubnet3Subnet075D8A57	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:48 UTC+0200	vpcPrivateSubnet1Subnet775ED65F	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:48 UTC+0200	vpcPrivateSubnet2Subnet4883FE9F	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:47 UTC+0200	vpcPublicSubnet1EIP489FDF7C	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	serverlessclusterSecurityGroupFB3EDDB1	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	vpcPublicSubnet3EIP040F1ED2	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	vpcPublicSubnet2EIP72CEE1CE	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	serverlessclusterSubnets21E1055A	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	vpcPublicSubnet1Subnet6344E13A	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	vpcPublicSubnet2Subnet01060DDD	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	vpcPrivateSubnet2RouteTable4A2429CB	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	vpcPrivateSubnet3RouteTable36DDDCA9	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	vpcPrivateSubnet1RouteTableF3EC60ED	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	vpcPublicSubnet3SubnetB3437112	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	vpcPublicSubnet2RouteTable94A3F30E	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	vpcPublicSubnet3RouteTable59BBB1B5	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	vpcPublicSubnet1RouteTable569F0026	
DELETE_COMPLETE
-
2023-06-24 20:08:47 UTC+0200	CDKMetadata	
DELETE_COMPLETE
-
2023-06-24 20:08:46 UTC+0200	serverlessclusterSecurityGroupFB3EDDB1	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	serverlessclusterSubnets21E1055A	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	profiletableA0AABAB8	
DELETE_SKIPPED
-
2023-06-24 20:08:46 UTC+0200	exchangeratetableFE5D9411	
DELETE_SKIPPED
-
2023-06-24 20:08:46 UTC+0200	vpcPrivateSubnet3RouteTable36DDDCA9	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	serverlesscluster751CD0C7	
DELETE_COMPLETE
-
2023-06-24 20:08:46 UTC+0200	vpcPublicSubnet2RouteTable94A3F30E	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	vpcPublicSubnet2EIP72CEE1CE	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	vpcPublicSubnet1EIP489FDF7C	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	vpcPublicSubnet3SubnetB3437112	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	CDKMetadata	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	vpcPrivateSubnet1RouteTableF3EC60ED	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	vpcPublicSubnet2Subnet01060DDD	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	vpcPublicSubnet3RouteTable59BBB1B5	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	vpcPublicSubnet1Subnet6344E13A	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	vpcPublicSubnet1RouteTable569F0026	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	vpcPrivateSubnet2RouteTable4A2429CB	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	vpcVPCGWFD4CE5D6	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:46 UTC+0200	vpcPublicSubnet3EIP040F1ED2	
DELETE_IN_PROGRESS
-
2023-06-24 20:08:43 UTC+0200	stage-stack	
ROLLBACK_IN_PROGRESS
The following resource(s) failed to create: [vpcPrivateSubnet2RouteTable4A2429CB, vpcPrivateSubnet1RouteTableF3EC60ED, CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0, vpcPublicSubnet1RouteTable569F0026, vpcVPCGWFD4CE5D6, vpcPrivateSubnet3RouteTable36DDDCA9, serverlesscluster751CD0C7, vpcPublicSubnet2RouteTable94A3F30E, vpcPublicSubnet3RouteTable59BBB1B5]. Rollback requested by user.
2023-06-24 20:08:43 UTC+0200	vpcPrivateSubnet2RouteTable4A2429CB	
CREATE_FAILED
Resource creation cancelled
2023-06-24 20:08:43 UTC+0200	vpcPublicSubnet2RouteTable94A3F30E	
CREATE_FAILED
Resource creation cancelled
2023-06-24 20:08:43 UTC+0200	vpcPublicSubnet3RouteTable59BBB1B5	
CREATE_FAILED
Resource creation cancelled
2023-06-24 20:08:43 UTC+0200	vpcPublicSubnet1RouteTable569F0026	
CREATE_FAILED
Resource creation cancelled
2023-06-24 20:08:43 UTC+0200	vpcPrivateSubnet1RouteTableF3EC60ED	
CREATE_FAILED
Resource creation cancelled
2023-06-24 20:08:43 UTC+0200	vpcPrivateSubnet3RouteTable36DDDCA9	
CREATE_FAILED
Resource creation cancelled
2023-06-24 20:08:43 UTC+0200	CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0	
CREATE_FAILED
Resource creation cancelled
2023-06-24 20:08:43 UTC+0200	vpcVPCGWFD4CE5D6	
CREATE_FAILED
Resource creation cancelled
2023-06-24 20:08:42 UTC+0200	serverlesscluster751CD0C7	
CREATE_FAILED
Given input did not match expected format
2023-06-24 20:08:42 UTC+0200	serverlesscluster751CD0C7	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:41 UTC+0200	serverlessclusterSubnets21E1055A	
CREATE_COMPLETE
-
2023-06-24 20:08:41 UTC+0200	serverlessclusterSubnets21E1055A	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:40 UTC+0200	serverlessclusterSecurityGroupFB3EDDB1	
CREATE_COMPLETE
-
2023-06-24 20:08:39 UTC+0200	serverlessclusterSubnets21E1055A	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:39 UTC+0200	vpcVPCGWFD4CE5D6	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:39 UTC+0200	serverlessclusterSecurityGroupFB3EDDB1	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:38 UTC+0200	vpcVPCGWFD4CE5D6	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:38 UTC+0200	vpcPublicSubnet1Subnet6344E13A	
CREATE_COMPLETE
-
2023-06-24 20:08:38 UTC+0200	vpcPublicSubnet3SubnetB3437112	
CREATE_COMPLETE
-
2023-06-24 20:08:38 UTC+0200	vpcPrivateSubnet2Subnet4883FE9F	
CREATE_COMPLETE
-
2023-06-24 20:08:38 UTC+0200	vpcPrivateSubnet3Subnet075D8A57	
CREATE_COMPLETE
-
2023-06-24 20:08:38 UTC+0200	vpcPublicSubnet2Subnet01060DDD	
CREATE_COMPLETE
-
2023-06-24 20:08:38 UTC+0200	vpcPrivateSubnet1Subnet775ED65F	
CREATE_COMPLETE
-
2023-06-24 20:08:37 UTC+0200	vpcPublicSubnet3EIP040F1ED2	
CREATE_COMPLETE
-
2023-06-24 20:08:37 UTC+0200	vpcPublicSubnet2EIP72CEE1CE	
CREATE_COMPLETE
-
2023-06-24 20:08:37 UTC+0200	vpcIGWBF0EF24D	
CREATE_COMPLETE
-
2023-06-24 20:08:37 UTC+0200	vpcPublicSubnet1EIP489FDF7C	
CREATE_COMPLETE
-
2023-06-24 20:08:35 UTC+0200	vpcPrivateSubnet3RouteTable36DDDCA9	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	vpcPublicSubnet3SubnetB3437112	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	vpcPrivateSubnet2RouteTable4A2429CB	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	vpcPublicSubnet1Subnet6344E13A	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	vpcPublicSubnet1RouteTable569F0026	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	vpcPublicSubnet2RouteTable94A3F30E	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	vpcPrivateSubnet2Subnet4883FE9F	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	vpcPublicSubnet3RouteTable59BBB1B5	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	vpcPrivateSubnet3Subnet075D8A57	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	vpcPublicSubnet2Subnet01060DDD	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	vpcPrivateSubnet1Subnet775ED65F	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	vpcPrivateSubnet1RouteTableF3EC60ED	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0	
CREATE_IN_PROGRESS
Resource creation Initiated
2023-06-24 20:08:35 UTC+0200	CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:34 UTC+0200	vpcPrivateSubnet3RouteTable36DDDCA9	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:34 UTC+0200	vpcPublicSubnet1RouteTable569F0026	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:34 UTC+0200	vpcPublicSubnet3SubnetB3437112	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:34 UTC+0200	vpcPublicSubnet2RouteTable94A3F30E	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:34 UTC+0200	vpcPrivateSubnet2RouteTable4A2429CB	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:34 UTC+0200	serverlessclusterSecurityGroupFB3EDDB1	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:34 UTC+0200	vpcPublicSubnet3RouteTable59BBB1B5	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:34 UTC+0200	vpcPublicSubnet2Subnet01060DDD	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:34 UTC+0200	vpcPrivateSubnet1Subnet775ED65F	
CREATE_IN_PROGRESS
-
2023-06-24 20:08:34 UTC+0200	vpcPrivateSubnet1RouteTableF3EC60ED	
CREATE_IN_PROGRESS
-

Reproduction Steps

// code pipeline
import { Stack, StackProps } from 'aws-cdk-lib';
import { Pipeline } from 'aws-cdk-lib/aws-codepipeline';
import { CodeBuildStep, CodePipeline, CodePipelineSource } from 'aws-cdk-lib/pipelines';
import { Construct } from 'constructs';

import { GITHUB_CONNECTION_ARN, GITHUB_REPO_STRING } from '../config';

export class CodePipelineStack extends Stack {
    constructor(scope: Construct, id: string, props: StackProps) {
        super(scope, id, props);

        const codeBuildStep = new CodeBuildStep('codebuild-step', {
            input: CodePipelineSource.connection(GITHUB_REPO_STRING, 'dev', {
                connectionArn: GITHUB_CONNECTION_ARN,
                triggerOnPush: false,
            }),
            installCommands: ['npm ci'],
            commands: ['npm run synth'],
        });

        const pipeline = new Pipeline(this, 'pipeline');

        const codePipeline = new CodePipeline(this, `codepipeline`, {
            synth: codeBuildStep,
            codePipeline: pipeline,
        });

        codePipeline.addStage(new DeploymentStage(this, props));
    }
}


// stage
import { StackProps, Stage } from 'aws-cdk-lib';
import { Construct } from 'constructs';

export class DeploymentStage extends Stage {
    constructor(scope: Construct, props: StackProps) {
        super(scope, `stage`, props);

        new MyStack(this, `stack`, props);
    }
}

// stack
import { Duration, Stack, StackProps } from 'aws-cdk-lib';
import { Vpc } from 'aws-cdk-lib/aws-ec2';
import { AuroraPostgresEngineVersion, DatabaseClusterEngine, ServerlessCluster, AuroraCapacityUnit } from 'aws-cdk-lib/aws-rds';
import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
import { Construct } from 'constructs';

export class MyStack extends Stack {
    constructor(scope: Construct, id: string, props: StackProps) {
        super(scope, id, props);

        const DATABASE_NAME = 'database';
        const CLUSTER_IDENTIFIER = `cluster-db`;
        const serverlessClusterUsernameSecret = Secret.fromSecretNameV2(this, 'serverless-cluster-username-secret', `serverless-cluster-username`);
        const serverlessClusterPasswordSecret = Secret.fromSecretNameV2(this, 'serverless-cluster-password-secret', `serverless-cluster-password`);

        const vpc = new Vpc(this, `vpc`);

        const cluster = new ServerlessCluster(this, `database-cluster`, {
            defaultDatabaseName: DATABASE_NAME,
            vpc,
            engine: DatabaseClusterEngine.auroraPostgres({
                version: AuroraPostgresEngineVersion.VER_15_2,
            }),
            scaling: { autoPause: Duration.seconds(0), minCapacity: AuroraCapacityUnit.ACU_2, maxCapacity: AuroraCapacityUnit.ACU_4 },
            credentials: Credentials.fromUsername('admin'),
            clusterIdentifier: CLUSTER_IDENTIFIER,
        });
    }
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.84.0 (build f7c792f)

Framework Version

No response

Node.js Version

v18.15.0

OS

Mac OS

Language

Typescript

Language Version

No response

Other information

No response

[meightythree]

I could resolve my issues with destroying the stack and redeploying every time it failed. I had to add security groups, credentials and a subnet group. Hope this helps someone.

Credits to this blog post: https://www.codecentric.de/wissens-hub/blog/how-to-upgrade-aurora-serverless-database-schema-using-cdk-and-lambda

    import { Duration, Stack, StackProps } from 'aws-cdk-lib';
    import { Port, SecurityGroup, SubnetType, Vpc } from 'aws-cdk-lib/aws-ec2';
    import { AuroraPostgresEngineVersion, DatabaseClusterEngine, ServerlessCluster, AuroraCapacityUnit, SubnetGroup, Credentials } from 'aws-cdk-lib/aws-rds';
    import { Construct } from 'constructs';
    
    export class MyStack extends Stack {
        constructor(scope: Construct, id: string, props: StackProps) {
            super(scope, id, props);
    
            const DATABASE_USERNAME = 'myadmin'; // IMPORTANT: admin is a reserved word use something else
            const DATABASE_NAME = 'my_database';
            const CLUSTER_IDENTIFIER = `cluster-identifier`;
            const vpc = new Vpc(this, `vpc`);
    
            const databaseSecurityGroup = new SecurityGroup(this, `database-security-group`, {
                securityGroupName: `database-security-group`,
                vpc,
            });
            const databaseIngressSecurityGroup = new SecurityGroup(this, `database-ingress-security-group`, {
                securityGroupName: `database-egress-security-group`,
                vpc,
            });
    
            databaseSecurityGroup.addIngressRule(databaseIngressSecurityGroup, Port.tcp(5432), 'allow ingress access');
    
            const credentials = Credentials.fromGeneratedSecret(DATABASE_USERNAME, {
                secretName: `serverless-cluster-password`,
            });
    
            const databaseSubnetGroup = new SubnetGroup(this, `database-subnet-group`, {
                description: 'SubnetGroup for Aurora Serverless',
                vpc,
                vpcSubnets: vpc.selectSubnets({
                    subnetType: SubnetType.PRIVATE_WITH_EGRESS,
                }),
            });
    
            const serverlessCluster = new ServerlessCluster(this, `serverless-aurora-cluster`, {
                engine: DatabaseClusterEngine.auroraPostgres({
                    version: AuroraPostgresEngineVersion.VER_13_3, // IMPORTANT: look for serverless AuroraPostgreSQL version https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Updates.20180305.html
                }),
                credentials,
                defaultDatabaseName: DATABASE_NAME,
                vpc,
                subnetGroup: databaseSubnetGroup,
                securityGroups: [databaseSecurityGroup],
                scaling: {
                    autoPause: Duration.minutes(5),
                    minCapacity: AuroraCapacityUnit.ACU_2,
                    maxCapacity: AuroraCapacityUnit.ACU_4,
                },
                clusterIdentifier: CLUSTER_IDENTIFIER,
            });
        }
    }

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.