Pivotal Knowledge Base

Follow

Service Broker for AWS cannot create Service Instance for PostgreSQL v10

Environment

Pivotal Cloud Foundry All Versions

AWS (Amazon Web Services) Service Broker

Symptom

When attempting to create a service instance for the 'aws-rds-postgres' (AWS PostgreSQL Database instance) service using PostgreSQL Engine Version 10+, the create-service fails and an error of invalid parameter.

Error Message:

$ cf create-service aws-rds-postgres basic aws-rds-postgres 
Server error, status code: 502, error code: 10001, message: Service broker error: InvalidParameterValue: ParameterGroupFamily postgres10.1 is not a valid parameter group family

Cause 

The Service Broker for AWS tile builds a 'DB Parameter Group' used by AWS to set the database configuration. This is built based on the values set in the tile for parameters such as 'Engine' and 'EngineVersion'. 

AWS has changed the format of the 'EngineVersion' value for its 'ParameterGroupFamily' starting with version 10 and above. The previous format was <engine><major>.<minor> (eg. 'postgres9.6') and the new format drops the minor version, e.g. for 10.1, the format would be 'postgres10'. As a result, AWS does not recognize the value that is sent when provisioning the service instance.

Note: The prerequisites for this error to occur are the following:

  1. Postgres engine version configured in the ERT/PAS tile to use 10.1 (or higher)
  2. SSL enabled
  3. "Custom DB Parameter Group Name" not specified

Resolution

The workarounds available are as follows.

Option 1: Recommended

  1. In the AWS console, create a custom DB Parameter Group, and modify the 'rds.force_ssl' flag to equal 1.
  2. In the Service Broker for AWS tile, under the PostgreSQL plan configuration, enter the name of the custom DB Parameter Group from Step 1 in the 'DB Parameter Group Name' field. 

Note: If you encounter a 'Provided DBParameterGroup (your-custom-param-group-name) is missing expected rds.force_ssl parameter value' error, then the 'Database SSL Connection' tile setting needs to be unchecked. SSL will still be enforced through the value being set in the Custom DB Parameter Group in AWS.

Option 2: Not Recommended (Insecure)

Disable the 'Database SSL Connection' setting to automatically use the default DB Parameter Group. This will resolve the issue, however, the connection to the database will not be encrypted.

Once there is full public documentation available for AWS PostgreSQL version 10 and the broker can be updated to support the new formats, this issue will be resolved in a future version of the Service Broker for AWS tile. The Release Notes for the broker can be found here.

Additional Information

Comments

Powered by Zendesk