[英]How do I add a cloudformation security group ingress rule that refers to another security group?
我在 yaml 模板中有以下安全组。 我想让“SecurityGroupApplication”安全组允许来自“SecurityGroupBastion”的传入连接。 但是,aws 客户端的验证模板 function 告诉我无用的信息,如“不受支持的结构”。 好的,但是结构有什么问题? 想法?
Resources:
SecurityGroupBastion:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Bastion security group
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: tcp
FromPort: 22
ToPort: 22
VpcId: !Ref vpcId
SecurityGroupApplication:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Application security group
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref SecurityGroupBastion
IpProtocol: tcp
除了我必须为App安全组指定端口之外,您的模板才能完美地找到我:
Resources:
SecurityGroupBastion:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Bastion security group
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: tcp
FromPort: 22
ToPort: 22
VpcId: vpc-abcd1234
SecurityGroupApplication:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Application security group
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref SecurityGroupBastion
IpProtocol: tcp
FromPort: 22
ToPort: 22
如果您希望SecurityGroupApplication成为安全组,则应使用Type: AWS::EC2::SecurityGroup而不是Type: AWS::EC2::SecurityGroupIngress 。 这可能是您看到的“不支持的结构”错误的原因。
只是如果有人陷入这个老问题,现在,有一种方法可以在 cloudformation 中引用跨帐户 SG,因此如果您想添加指向另一个 AWS 帐户的 SG 入口规则,只需添加密钥SourceSecurityGroupOwnerId和account ID即可。
IE
AWSTemplateFormatVersion: 2010-09-09
Resources:
TargetSG:
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: vpc-1a2b3c4d
GroupDescription: Security group allowing ingress for security scanners
InboundRule:
Type: 'AWS::EC2::SecurityGroupIngress'
Properties:
GroupId: !GetAtt TargetSG.GroupId
IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: sg-12345678 # SG in the other AWS account
SourceSecurityGroupOwnerId: '123456789012' # Account ID
AWS Cloudformation - 向安全组出口规则添加条件
[英]AWS Cloudformation - Add condition to security group egress rule
使用 Terraform (AWS) 将安全组添加到另一个安全组的入站规则作为源
[英]Add a Security Group to the Inbound Rule of another Security Group as a Source with Terraform (AWS)
将包含自身和安全组 ID 的 aws_security_group_rule 添加到安全组
[英]Add an aws_security_group_rule that contains self and a security group id to a security group
如何在不重新创建 EC2 实例的情况下通过 Cloudformation 更新安全组
[英]How I can update security group through Cloudformation without recreating EC2 Instance
AWS Cloudformation 为安全组配置 ICMP 协议
[英]AWS Cloudformation configure ICMP protocol for the security group
如何为 google data studio 添加安全组以访问我的 amayon RDS?
[英]How do I add security group for google data studio to access my amayon RDS?
terraform 想在我只想向安全组添加规则时替换 ec2 实例
[英]terraform wants to replace ec2 instances when i simply want to add a rule to a security group
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.