I have a cfn stack that (among other things), creates a VPC, several security groups, and a handful of EC2 instances. It's trivial to assign security groups that are created within the stack to instances that are also created by the stack. However, I'm interested in the default VPC SG.
When a VPC gets created (whether manually though the GUI, by cloudformation, or any other means), AWS creates a default security group with an "allow all" rule for any instance in that group.
What I am trying to do is assign this default security group along with several other SGs to instances created by the stack. This is proving to be far more difficult than I anticipated. Here are some snippets showing what I have going on:
"AllowSSHSecGroup":{
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"GroupDescription":"Allow SSH from anywhere",
"VpcId":{
"Ref":"DevVPC"
},
"SecurityGroupIngress":[
{
"IpProtocol":"tcp",
"FromPort":"22",
"ToPort":"22",
"CidrIp":"0.0.0.0/0"
}
]
}
},
"Instance001" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "ami-7eab224e",
"InstanceType" : "m1.large",
"AvailabilityZone" : "us-west-2a",
"PrivateIpAddress" : "10.22.0.110",
"SecurityGroupIds" : [ {"Ref" : "AllowSSHSecGroup"} ],
"SubnetId" : { "Ref" : "PublicSubnet" },
"KeyName" : "erik-key",
"DisableApiTermination" : "false",
"Tags" : [ { "Key": "Name", "Value": "Instance001"} ]
}
}
In the above snippet, I'm creating an "allow ssh" security group and assigning that to an instance. As mentioned, my stack also creates a VPC (which this instance is launched in), which in turn creates a default security group. Unfortunately, since this group is created automatically by AWS, its group ID is unavailable to the stack, making it impossible to reference by ID. I initially thought that the SecurityGroups
property would be an option, as that would allow me to reference the default SG by its name, default
. That doesn't work, though, as the SecurityGroups
property is only for EC2 Security Groups, not VPC Security Groups.
So I'm stuck. I have opened up a case with AWS support on this, but so far, they've not been helpful. Any ideas on how I can accomplish this?