AWS CloudFormation and Kong


Install and use Kong with AWS CloudFormation.

AWS CloudFormation and Kong installation documentation


I was having trouble running the cloudformation template for PostgreSQL into an existing VPC in eu-west-1. It has an issue creating the autoscaling group:

14:41:38 UTC+0000|ROLLBACK_IN_PROGRESS|AWS::CloudFormation::Stack|kong-elb-postgres-hvm-staging|The following resource(s) failed to create: [KongScalingGroup]. . Rollback requested by user.|
14:41:37 UTC+0000|CREATE_FAILED|AWS::AutoScaling::AutoScalingGroup|KongScalingGroup|Received 1 FAILURE signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement|

Any ideas?


I’ve just begun using the CloudFormation templates as well and was encountering this issue as well. Within 2-4 minutes of initiating the stack creation, you can go to EC2, right-click on the instance, go to instance settings, and view its system logs.

The specific issue I am having is that the EC2 instance created by the Kong CF Template is timing out attempting to perform the migrations, because my existing Postgres RDS instance’s security rules are not configured to accept traffic from the new security group that gets created by the Kong CF Template.

For anyone else using an existing VPC and an existing Postgres RDS instance:
A. Temporarily expose your Postgres instance to all traffic (easy, but not recommended if you have sensitive information)
B. After initiating CF stack creation, edit the security group for Postgres to accept inbound traffic from the Kong security group.

  1. Go to the RDS page for your Postgres instance and click on its security group in the section Details / Security and Network.
  2. Edit the Inbound rules to add a new rule: Custom TCP on port 5432.
  3. Using Custom as the Source, type ‘Kong’ or ‘sg’ in the input and select the security group created by the Kong CF template (It should include Kong in its name. If not, ‘sg’ will show all security groups).
  4. Save your new security group rule, and hope that you were able to complete that before the EC2 instance attempts to talk to Postgres. (Shouldn’t be too hard, as it has to install a few things first)

EDIT: Slightly more elegant version:
Adds a new parameter for the existing RDS SecurityGroupId, condition to check if a value was provided, and a SecurityGroupIngress rule for the provided security group to accept incoming TCP traffic on the DBPort (5432) from the KongSecurityGroup used by the EC2 instances.

Add to Template Parameters:
“DBSecurityGroupId” : {
“Type” : “String”,
“Description” : “Conditional- required if DBHost provided and you have an existing security group you would like to update.”,
“Default” : “”,
“AllowedPattern” : “^(?:sg-[0-9a-f]{8}|)$”,
“ConstraintDescription” : “SecurityGroup ID must begin with ‘sg-’ and contain 8 alphanumerics. Leave blank if database is publicly accessible.”

Add to Template Conditions:
“ExistingDBSecurityGroup” : { “Fn::Not” : [ { “Fn::Equals” : [ { “Ref” : “DBSecurityGroupId” }, “” ] } ] },

Add to Template Resources:
“DBIngressRule”: {
“Type”: “AWS::EC2::SecurityGroupIngress”,
“Condition”: “ExistingDBSecurityGroup”,
“Properties”: {
“GroupId” : { “Ref” : “DBSecurityGroupId” },
“IpProtocol”: “tcp”,
“FromPort”: { “Ref” : “DBPort” },
“ToPort”: { “Ref” : “DBPort” },
“SourceSecurityGroupId”: {
“Fn::GetAtt” : [ “KongSecurityGroup”, “GroupId” ]



I tried opening my existing DB to temporarily and still got the error


Received 1 FAILURE signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement.

Did you manage to get the template to work?


@berry2012 can you check cloud init log and share the error you see there? Also are you working with latest template? It was updated last night.


ha I see.
Just got it to run now.