stackoom
  简体   繁体   中英

Is there a way to reference a security group from a previous Cloudformation stack in a new CF stack?

 原文  2018-03-01 17:49:22       amazon-web-services/ amazon-ec2/ amazon-cloudformation

Question

I'm trying to build a stack with multiple EC2 instances that have varied security groups.

It would be easy for me if I could create my security groups in advance and reference them in my EC2 stack.

Is there a way to reference an existing security group resource in a CF stack?

Thanks in advance for the help!

5 answers

solution1
 1  2018-03-01 17:59:11

yes this is totally possible with standard Cloudformation templates. You can solve this in a couple of ways.

If you are using nested stacks, you can create all the security groups you need in one sub-stack. That stack should have Outputs for each of the Security Group Ids you created.

Outputs:
  SecurityGroup1Id:
    Description: Security Group 1 ID
    Value: !Ref SecurityGroup1

In the stack that then creates your EC2 instances, you can define Parameters for each of the security Groups. It can either be an array or one parameter for each Group, depending on your use case.

Single Template

If the EC2 instances and security groups are being defined in the same template, then you can use a simple Ref to access the ID of the already created security group. ie: !Ref SecurityGroup1Name

solution2
 1  2021-02-24 10:25:06

If you already have a security group deployed and you know the Id of it you can reference it like this under Properties.

You can reference multiple security groups, as it is a list

      SecurityGroupIds: 
        - <the id of the security group>
        - <another security group ID>

solution3
 0  2018-03-01 18:02:33

Yes, you can cross reference outputs from a stack in another.

Here is a walkthrough from the AWS official documentation.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-crossstackref.html

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html

solution4
 0  2018-03-01 18:14:33

If the Security Groups were created outside of CloudFormation (Console/CLI) or the CloudFormation stacks aren't linked via nesting or exports , you should define them as Parameters, then reference that parameter name in your template:

Parameters:
  MySecurityGroup: 
    Type: String
    Description: ID of an existing VPC security group (sg-xxxxxx)

Resources:
  MyInstance:
    Type: AWS::EC2::Instance
    Properties:
      # All of your other properties
      SecurityGroupIds: 
        - !Ref MySecurityGroup

If the security group ID is something you're going to reference often, put it in SSM Parameter Store and link the two by following the steps in this blog post: https://aws.amazon.com/blogs/mt/integrating-aws-cloudformation-with-aws-systems-manager-parameter-store/

solution5
 0  2021-03-11 20:08:50

Yes, you can create a security group in advance and refer them into the new stack. In the below example we are creating a securty group through cloudformation template to allowing 3389/RDP Protocol for user(user name is User1) and exporting security group name.

And in EC2 CloudFormation stack we are importing the exported value(sg name) of security group CloudFormation stack.

AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation template for Security Group definitions
Parameters:
    User1:
      Description: Public IP OF Deven .
      Type: String
      Default: 106.209.184.29/32
      AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
      ConstraintDescription: Must be valid IP Range.

Resources:
  MySG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Common Jenkins SG.
      VpcId: vpc-8587d522
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3389
          ToPort: 3389
          CidrIp: !Ref User1
          Description: User1 - RDP access  .
        - Key: Name
          Value: test-security-group
      SecurityGroupEgress: []

Outputs:
  Ec2SecurityGroup:
    Description: Security Group ID for EC2
    Value: !Ref MySG
    Export:
      Name: !Sub "${AWS::StackName}-testapplication"

In Youe EC2 instance template import the value. below is the example for the same.

    Type: 'AWS::EC2::Instance'
    Properties:
          .
          .
   (your other parameters mentioned in 'AWS::EC2::Instance' )
          .
          .
      KeyName: !Ref Key
      SubnetId: !Ref SubnetA
      SecurityGroups:
        Fn::ImportValue:
          !Sub "${SGStackName}-RenderEngine" ##### SGStackName is Security group CloudFormation Stack name 
          .
          .
   (your other parameters mentioned in 'AWS::EC2::Instance' )
          .
          .

For more detail please gough with official link

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question CloudFormation: stack is stuck, CloudTrail events shows repeating DeleteNetworkInterface event aws cli cloudformation update-stack set tags? Use output of one stack as environment variable for lambda in other stack with SAM or Cloudformation Invalid request error in AWS::Route53::RecordSet when creating stack with AWS CloudFormation json AWS::WAFv2::LoggingConfiguration encounter invalid ARN when creating stack with Cloudformation How I can update security group through Cloudformation without recreating EC2 Instance React Native, Stack Navigation Group for Firebase authentication stay logged in Is there any way to stop AWS from starting CodePipeline automatically if I deploy it via CloudFormation? Make cdk diff ignore stack How to reference a resource ARN in a cloudformation policy document ? (yaml)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM