Using Cloud Formation provisioned security group with specific subnet
You just need to change this line:
"SecurityGroups" : [ {"Ref" : "WebServerSecurityGroup"} ],
to this:
"SecurityGroupIds" : [ {"Ref" : "WebServerSecurityGroup"} ],
Per the Cloudformation documentation on the topic, the SecurityGroups
attribute is only valid for EC2 security groups. You're using VPC, so you need to use SecurityGroupIds
.
Related videos on Youtube
Friedrich 'Fred' Clausen
Updated on September 18, 2022Comments
-
Friedrich 'Fred' Clausen over 1 year
Summary
I'm attempting to create an AWS CloudFormation template which contains an instance for which I want to select a particular subnet. If I specify the subnet ID then I get the following error
The parameter groupName cannot be used with the parameter subnet
. From reading this thread it appears I need to provide security group IDs - not names. How can I create a security group in CloudFormation and then get its ID after the fact?Details
The relevant part of the instance config is as follows
"WebServerHost": { "Type" : "AWS::EC2::Instance", <..skipping metadata...> "Properties": { "ImageId" : { "ami-1234" }, "InstanceType" : { "Ref" : "WebServerInstanceType" }, "SecurityGroups" : [ {"Ref" : "WebServerSecurityGroup"} ], "SubnetId" : "subnet-abcdef123",
and the security group looks as follows
"WebServerSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Enable HTTP and SSH", "SecurityGroupIngress" : [ {"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "0.0.0.0/0"}, {"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"} ] } },
How can I create and then get that security group's ID?
-
EEAA over 9 yearsI presume you're not creating the subnet in your cloudformation manifest?
-
Friedrich 'Fred' Clausen over 9 yearsCorrect - I am using an existing subnet.
-
-
Friedrich 'Fred' Clausen over 9 yearsThat gives the same error unfortunately. If I do
"SecurityGroupIds" : [ "sg-12345" ]
then it works. I think I somehow I need to translate that literal security group snippet into a reference after it is created. -
EEAA over 9 yearsIn that case, you have something else going on. I'm doing this exact thing in a few of my cfn manifests, and they're working perfectly. I'm not sure if resource order is important with CFN (I've never checked), but you may consider trying to define the SG first in your manifest.
-
Friedrich 'Fred' Clausen over 9 yearsGood idea - I'll try experimenting with those options and update.
-
Friedrich 'Fred' Clausen over 9 yearsI have up a gist for the complete manifest. I am using the CF tutorial template except it has been modified to use a subnet and with my attempt at applying a security group there.
-
EEAA over 9 yearsCan you please update your question with the full error message you're getting?
-
Friedrich 'Fred' Clausen over 9 yearsActually, I was daft, your advice worked. It failed for another reason after making your suggested changes (typo in VPC for security group) - I did not catch that and thought it was the original problem.
-
EEAA over 9 yearsHah, excellent. Glad you're up and running.
-
Josh Padnick over 9 yearsJust wanted to chime in that I ran into this exact issue using troposphere (github.com/cloudtools/troposphere) because I forgot to use
Ref()
and was also usingSecurityGroups
instead ofSecurityGroupIds
. @EEAA's solution worked perfectly! -
CarlR about 7 yearsThanks for pointing this out. I had read the AWS documentation however it did not click that this was the problem. I believe the docs on this could be a lot clearer - actually saying that the "SecurityGroups" parameter is for use in the EC2 classic mode would be helpful.
-
S.K. Venkat about 6 yearsThis answer indirectly helped to resolve my problem. Thanks very much @EEAA