将参数化的安全组列表添加到另一个安全组的入口 [英] Add a parameterized list of security groups to another security group's ingress

问题描述

我想创建一个CloudFormation模板，该模板创建一个安全组资源，该资源允许从其他安全组的变量列表中进入。该模板将采用类型 List< AWS :: EC2 :: SecurityGroup :: Id> 的参数。在本例中，我将此参数命名为 SourceSecurityGroupIds 。然后，它将使用以下内容创建安全组资源：

I'd like to create a CloudFormation template that creates a security group resource that allows ingress from a variable list of other security groups. The template would take a parameter of type List<AWS::EC2::SecurityGroup::Id>. I'll name this parameter SourceSecurityGroupIds for this example. Then, it would create a security group resource using something like:

{
    "LogServerSecurityGroup": {
        "Type": "AWS::EC2::SecurityGroup",
        "Properties": {
            "GroupDescription": "XYZ security group",
            "VpcId": "vpc-abcxyz",
            "SecurityGroupIngress": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": 1234,
                    "ToPort": 1234,
                    "SourceSecurityGroupId": { "Ref": "SourceSecurityGroupIds" }
                }
            ]
        }
    }
}

当然， SecurityGroupIngress SourceSecurityGroupId 属性$ c>没有列表。有办法使这项工作吗？

Of course, the SourceSecurityGroupId property of SecurityGroupIngress doesn't take a list. Is there a way to make this work?

回想起来，正确的这样做的方法是创建一个 LogSourceSecurityGroup ，并只允许从该安全组进入。然后，将该安全组添加到任何应能够与日志服务器通信的EC2实例中。

In retrospect, the correct way to do this is to create a LogSourceSecurityGroup, and allow ingress only from that security group. Then, add that security group to any EC2 instance, etc that should be able to communicate with the log server.

推荐答案

我知道已经很晚了，所以您已经知道了，但是我遇到了同样的问题，并且能够解决它。您需要创建一个安全组入口资源，该资源会将规则添加到现有的安全组中，如下所示：

I know it's late so you already figure it out, but I just run into this same issue and I was able to fix it. You need to create a "Security Group Ingress" resource that will add the rule to an existing security group, so it would be like:

{
    "LogServerSecurityGroup": {
        "Type": "AWS::EC2::SecurityGroup",
        "Properties": {
            "GroupDescription": "XYZ security group",
            "VpcId": "vpc-abcxyz"
        }
    },
    "LogServerSecurityGroupIngress" : {
        "Type" : "AWS::EC2::SecurityGroupIngress",
        "Properties" : { 
            "GroupId" : {"Ref" : "LogServerSecurityGroup"},
            "IpProtocol" : "tcp",
            "FromPort" : "1234",
            "ToPort" : "1234",
            "SourceSecurityGroupId" : {"Ref" : "SourceSecurityGroupIds"}
        }

   }
}

您可以在此处找到更多信息：
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security -group-ingress.html＃cfn-ec2-security-group-ingress-groupid

You can find more information here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html#cfn-ec2-security-group-ingress-groupid

这篇关于将参数化的安全组列表添加到另一个安全组的入口的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！