12

When doing a deployment with Elastic Beanstalk, we got the following error:

ERROR: Configuration validation exception: Invalid option value: 'sg-fdd33e89' (Namespace: 'aws:autoscaling:launchconfiguration', OptionName: 'SecurityGroups'): The security group having id 'sg-fdd33e89' does not exist.

Things probably related:

  • We have custom security group settings for the ELB in .ebextensions
  • We had earlier cloned this particular EB environment from an older EB environment and had problems with being unable to temrinate the old environment because of this security group.

(Already solved this but sharing the question in case it helps somebody else)

Touko
  • 11,359
  • 16
  • 75
  • 105
  • 1
    I ran into the same error and was led here first by Google, but I found that this other SO answer was more applicable to me since I was positive my security group still existed (and was in fact the default VPC security group): https://stackoverflow.com/questions/40671054/how-do-i-specify-a-security-group-for-elastic-beanstalk-launch-configuration-in – M.L. Jun 12 '17 at 16:21

5 Answers5

16

I found the Derya Sezen's related blog post AWS Elastic Beanstalk the security group having id does not exist problem that

  • was describing a case where old security group from a the previous environment was inherited to new environment (probably the case with me too)
  • adviced to update EB environment's security group options with AWS CLI

I run the following with AWS CLI following the blog post:

aws elasticbeanstalk update-environment --environment-name my-env-name --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=SecurityGroups,Value=""

After that, EB updated the environments for a while and after that I was able to deploy successfully.

Touko
  • 11,359
  • 16
  • 75
  • 105
3

You can delete the problematic part by running eb config. You will receive editable config for your environment where you can find the non-existent security group and easily delete it.

Remigiusz
  • 450
  • 3
  • 8
  • `eb config` no longer seems to be an option in the new CLI. Do you know the new way of getting the editable config via `aws elasticbeanstalk` ? – user2402616 Jul 15 '21 at 17:54
1

I get to this question/answer with the situation of the removed security group which is used in EB environment. It has an old platform, so aws client could not get/change the configuration - and it was inaccessible from console also. For me it was sufficient to create a security group with the same name as the removed one - and EB started using it instead!

Sergey D.
  • 11
  • 1
  • This is a savvy work-around that resolved the issue for me directly from the AWS Web Console. +1 – rahlf23 Jun 27 '23 at 05:05
  • I can specify the "Security group name" when creating a security group, but I don't see an option to specify the "Security group ID" (and names starting with "sg-" are prohibited). Perhaps something on the AWS web console changed in the last few months? – Matt Aug 16 '23 at 21:14
0

If you made the same mistake as me and terminated the environment, you could not use the AWS CLI for fix this.

$ aws elasticbeanstalk update-environment --environment-name my-kick-ass-env --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=SecurityGroups,Value=""

A client error (InvalidParameterValue) occurred when calling the UpdateEnvironment operation: No Environment found for EnvironmentName = 'my-kick-ass-env'.

The only solution is to wait until the terminated environment is totally removed by AWS. It usually takes an hour to be removed after the termination is finished.

Brett Hardin
  • 4,012
  • 2
  • 19
  • 22
JonDoe297
  • 1,601
  • 1
  • 15
  • 21
0

I bumped into the same error when creating a new environment with EB web console.

Here's what I did to avoid it:

  • make sure your select the appropriate VPC for the instances / have your instances in the appropriate VPC
  • in the web ui, select at least one of the Instance subnets
adrian7
  • 986
  • 12
  • 35