1. 技术文章
  2. Add a parameterized list of security groups to another security group's ingress

Add a parameterized list of security groups to another security group's ingress

淺唱寂寞╮ 提交于 2019-12-12 10:21:41

问题


I'd like to create a CloudFormation template that creates a security group resource that allows ingress from a variable list of other security groups. The template would take a parameter of type List<AWS::EC2::SecurityGroup::Id>. I'll name this parameter SourceSecurityGroupIds for this example. Then, it would create a security group resource using something like:

{
    "LogServerSecurityGroup": {
        "Type": "AWS::EC2::SecurityGroup",
        "Properties": {
            "GroupDescription": "XYZ security group",
            "VpcId": "vpc-abcxyz",
            "SecurityGroupIngress": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": 1234,
                    "ToPort": 1234,
                    "SourceSecurityGroupId": { "Ref": "SourceSecurityGroupIds" }
                }
            ]
        }
    }
}

Of course, the SourceSecurityGroupId property of SecurityGroupIngress doesn't take a list. Is there a way to make this work?

Update - Feb 27, 2019

In retrospect, the correct way to do this is to create a LogSourceSecurityGroup, and allow ingress only from that security group. Then, add that security group to any EC2 instance, etc that should be able to communicate with the log server.


回答1:


I know it's late so you already figure it out, but I just run into this same issue and I was able to fix it. You need to create a "Security Group Ingress" resource that will add the rule to an existing security group, so it would be like:

{
    "LogServerSecurityGroup": {
        "Type": "AWS::EC2::SecurityGroup",
        "Properties": {
            "GroupDescription": "XYZ security group",
            "VpcId": "vpc-abcxyz"
        }
    },
    "LogServerSecurityGroupIngress" : {
        "Type" : "AWS::EC2::SecurityGroupIngress",
        "Properties" : { 
            "GroupId" : {"Ref" : "LogServerSecurityGroup"},
            "IpProtocol" : "tcp",
            "FromPort" : "1234",
            "ToPort" : "1234",
            "SourceSecurityGroupId" : {"Ref" : "SourceSecurityGroupIds"}
        }

   }
}

You can find more information here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html#cfn-ec2-security-group-ingress-groupid




回答2:


SecurityGroupIngress parameter above is an array/list. So, define multiple ingress rules there.

e.g:

  "SecurityGroupIngress": [
    {
      "IpProtocol": "tcp",
      "FromPort": 1234,
      "ToPort": 1234,
      "SourceSecurityGroupId": "SG-12345"
    },
    {
      "IpProtocol": "tcp",
      "FromPort": 1234,
      "ToPort": 1234,
      "SourceSecurityGroupId": "SG-abcde"
    },
    {
      "IpProtocol": "tcp",
      "FromPort": 1234,
      "ToPort": 1234,
      "SourceSecurityGroupId": "SG-54321"
    }
  ]


来源:https://stackoverflow.com/questions/32082228/add-a-parameterized-list-of-security-groups-to-another-security-groups-ingress

标签
amazon-web-services
amazon-ec2
amazon-cloudformation
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!