[英]Is there a way to reference a security group from a previous Cloudformation stack in a new CF stack?
I'm trying to build a stack with multiple EC2 instances that have varied security groups.我正在尝试构建一个包含多个具有不同安全组的 EC2 实例的堆栈。
It would be easy for me if I could create my security groups in advance and reference them in my EC2 stack.如果我可以提前创建我的安全组并在我的 EC2 堆栈中引用它们,这对我来说会很容易。
Is there a way to reference an existing security group resource in a CF stack?有没有办法在 CF 堆栈中引用现有的安全组资源?
Thanks in advance for the help!先谢谢您的帮助!
yes this is totally possible with standard Cloudformation templates.是的,这完全有可能使用标准的 Cloudformation 模板。 You can solve this in a couple of ways.
您可以通过多种方式解决此问题。
If you are using nested stacks, you can create all the security groups you need in one sub-stack.如果您使用嵌套堆栈,则可以在一个子堆栈中创建所需的所有安全组。 That stack should have Outputs for each of the Security Group Ids you created.
该堆栈应该具有您创建的每个安全组 ID 的输出。
Outputs:
SecurityGroup1Id:
Description: Security Group 1 ID
Value: !Ref SecurityGroup1
In the stack that then creates your EC2 instances, you can define Parameters for each of the security Groups.在随后创建 EC2 实例的堆栈中,您可以为每个安全组定义参数。 It can either be an array or one parameter for each Group, depending on your use case.
它可以是一个数组,也可以是每个组的一个参数,具体取决于您的用例。
Single Template单一模板
If the EC2 instances and security groups are being defined in the same template, then you can use a simple Ref to access the ID of the already created security group.如果 EC2 实例和安全组是在同一个模板中定义的,那么您可以使用简单的 Ref 来访问已创建的安全组的 ID。 ie:
!Ref SecurityGroup1Name
即:
!Ref SecurityGroup1Name
If you already have a security group deployed and you know the Id of it you can reference it like this under Properties.如果您已经部署了一个安全组并且您知道它的 ID,您可以在属性下像这样引用它。
You can reference multiple security groups, as it is a list您可以引用多个安全组,因为它是一个列表
SecurityGroupIds:
- <the id of the security group>
- <another security group ID>
Yes, you can cross reference outputs from a stack in another.是的,您可以在另一个堆栈中交叉引用堆栈的输出。
Here is a walkthrough from the AWS official documentation.这是来自 AWS 官方文档的演练。
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-crossstackref.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-crossstackref.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html
If the Security Groups were created outside of CloudFormation (Console/CLI) or the CloudFormation stacks aren't linked via nesting or exports , you should define them as Parameters, then reference that parameter name in your template:如果安全组是在 CloudFormation(控制台/CLI)之外创建的,或者 CloudFormation 堆栈未通过嵌套或导出链接,您应该将它们定义为参数,然后在模板中引用该参数名称:
Parameters:
MySecurityGroup:
Type: String
Description: ID of an existing VPC security group (sg-xxxxxx)
Resources:
MyInstance:
Type: AWS::EC2::Instance
Properties:
# All of your other properties
SecurityGroupIds:
- !Ref MySecurityGroup
If the security group ID is something you're going to reference often, put it in SSM Parameter Store and link the two by following the steps in this blog post: https://aws.amazon.com/blogs/mt/integrating-aws-cloudformation-with-aws-systems-manager-parameter-store/如果安全组 ID 是您要经常引用的内容,请将其放入 SSM Parameter Store 并按照此博文中的步骤链接两者: https ://aws.amazon.com/blogs/mt/integrating- aws-cloudformation-with-aws-systems-manager-parameter-store/
Yes, you can create a security group in advance and refer them into the new stack.是的,您可以提前创建一个安全组并将它们引用到新堆栈中。 In the below example we are creating a securty group through cloudformation template to allowing 3389/RDP Protocol for user(user name is User1) and exporting security group name.
在下面的示例中,我们通过 cloudformation 模板创建一个安全组,以允许用户(用户名为 User1)使用 3389/RDP 协议并导出安全组名称。
And in EC2 CloudFormation stack we are importing the exported value(sg name) of security group CloudFormation stack.在 EC2 CloudFormation 堆栈中,我们正在导入安全组 CloudFormation 堆栈的导出值(sg 名称)。
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation template for Security Group definitions
Parameters:
User1:
Description: Public IP OF Deven .
Type: String
Default: 106.209.184.29/32
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
ConstraintDescription: Must be valid IP Range.
Resources:
MySG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Common Jenkins SG.
VpcId: vpc-8587d522
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3389
ToPort: 3389
CidrIp: !Ref User1
Description: User1 - RDP access .
- Key: Name
Value: test-security-group
SecurityGroupEgress: []
Outputs:
Ec2SecurityGroup:
Description: Security Group ID for EC2
Value: !Ref MySG
Export:
Name: !Sub "${AWS::StackName}-testapplication"
In Youe EC2 instance template import the value.在 Youe EC2 实例模板中导入值。 below is the example for the same.
下面是相同的示例。
Type: 'AWS::EC2::Instance'
Properties:
.
.
(your other parameters mentioned in 'AWS::EC2::Instance' )
.
.
KeyName: !Ref Key
SubnetId: !Ref SubnetA
SecurityGroups:
Fn::ImportValue:
!Sub "${SGStackName}-RenderEngine" ##### SGStackName is Security group CloudFormation Stack name
.
.
(your other parameters mentioned in 'AWS::EC2::Instance' )
.
.
For more detail please gough with official link有关更多详细信息,请查看官方链接
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.