Using Cloud Formation provisioned security group with specific subnet

7,210

You just need to change this line:

"SecurityGroups" : [ {"Ref" : "WebServerSecurityGroup"} ],

to this:

"SecurityGroupIds" : [ {"Ref" : "WebServerSecurityGroup"} ],

Per the Cloudformation documentation on the topic, the SecurityGroups attribute is only valid for EC2 security groups. You're using VPC, so you need to use SecurityGroupIds.

7,210

Friedrich 'Fred' Clausen

Updated on September 18, 2022

Comments

Friedrich 'Fred' Clausen over 1 year
Summary

I'm attempting to create an AWS CloudFormation template which contains an instance for which I want to select a particular subnet. If I specify the subnet ID then I get the following error The parameter groupName cannot be used with the parameter subnet. From reading this thread it appears I need to provide security group IDs - not names. How can I create a security group in CloudFormation and then get its ID after the fact?

Details

The relevant part of the instance config is as follows
```
"WebServerHost": {
  "Type" : "AWS::EC2::Instance",
 <..skipping metadata...>
 "Properties": {
    "ImageId" : { "ami-1234" },
    "InstanceType" : { "Ref" : "WebServerInstanceType" },
    "SecurityGroups" : [ {"Ref" : "WebServerSecurityGroup"} ],
    "SubnetId"       : "subnet-abcdef123",
```
and the security group looks as follows
```
"WebServerSecurityGroup" : {
  "Type" : "AWS::EC2::SecurityGroup",
  "Properties" : {
    "GroupDescription" : "Enable HTTP and SSH",
    "SecurityGroupIngress" : [
      {"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "0.0.0.0/0"},
      {"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"}
    ]
  }
},
```
How can I create and then get that security group's ID?
- EEAA over 9 years
  
  I presume you're not creating the subnet in your cloudformation manifest?
- Friedrich 'Fred' Clausen over 9 years
  
  Correct - I am using an existing subnet.
Friedrich 'Fred' Clausen over 9 years

That gives the same error unfortunately. If I do "SecurityGroupIds" : [ "sg-12345" ] then it works. I think I somehow I need to translate that literal security group snippet into a reference after it is created.
EEAA over 9 years

In that case, you have something else going on. I'm doing this exact thing in a few of my cfn manifests, and they're working perfectly. I'm not sure if resource order is important with CFN (I've never checked), but you may consider trying to define the SG first in your manifest.
Friedrich 'Fred' Clausen over 9 years

Good idea - I'll try experimenting with those options and update.
Friedrich 'Fred' Clausen over 9 years

I have up a gist for the complete manifest. I am using the CF tutorial template except it has been modified to use a subnet and with my attempt at applying a security group there.
EEAA over 9 years

Can you please update your question with the full error message you're getting?
Friedrich 'Fred' Clausen over 9 years

Actually, I was daft, your advice worked. It failed for another reason after making your suggested changes (typo in VPC for security group) - I did not catch that and thought it was the original problem.
EEAA over 9 years

Hah, excellent. Glad you're up and running.
Josh Padnick over 9 years

Just wanted to chime in that I ran into this exact issue using troposphere (github.com/cloudtools/troposphere) because I forgot to use Ref() and was also using SecurityGroups instead of SecurityGroupIds. @EEAA's solution worked perfectly!
CarlR about 7 years

Thanks for pointing this out. I had read the AWS documentation however it did not click that this was the problem. I believe the docs on this could be a lot clearer - actually saying that the "SecurityGroups" parameter is for use in the EC2 classic mode would be helpful.
S.K. Venkat about 6 years

This answer indirectly helped to resolve my problem. Thanks very much @EEAA