问题
I have the following security group in a yaml template. I'd like to have the "SecurityGroupApplication" security group allow incoming connections from the "SecurityGroupBastion". However, the validate-template function of the aws client is telling me unhelpful information like "unsupported structure". Ok, but what is wrong with the structure? Ideas?
Resources:
SecurityGroupBastion:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Bastion security group
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: tcp
FromPort: 22
ToPort: 22
VpcId: !Ref vpcId
SecurityGroupApplication:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Application security group
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref SecurityGroupBastion
IpProtocol: tcp
回答1:
Your template works perfectly find for me, except that I had to specify the ports for the App security Group:
Resources:
SecurityGroupBastion:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Bastion security group
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: tcp
FromPort: 22
ToPort: 22
VpcId: vpc-abcd1234
SecurityGroupApplication:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Application security group
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref SecurityGroupBastion
IpProtocol: tcp
FromPort: 22
ToPort: 22
回答2:
If you want SecurityGroupApplication to be a Security Group, then you should use Type: AWS::EC2::SecurityGroup instead of Type: AWS::EC2::SecurityGroupIngress. That is probably the cause of the "unsupported structure" error you are seeing.
来源:https://stackoverflow.com/questions/43669106/how-do-i-add-a-cloudformation-security-group-ingress-rule-that-refers-to-another