Question:
I’ve got a CloudFormation script that generates a SecurityGroup and an ELB; I’m trying to reference the SecurityGroup in the ELB creation; here’s the resources bit:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
"ELBSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Security group for the Arena dev stack", "SecurityGroupIngress" : [ {"IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : { "Ref" : "OfficeIp" }} ] } }, "ProjectLoadBalancerTest" : { "Type" : "AWS::ElasticLoadBalancing::LoadBalancer", "Properties" : { "AvailabilityZones" : { "Fn::GetAZs" : "" }, "Instances" : [ ], "Listeners" : [ { "LoadBalancerPort" : "80", "InstancePort" : "12345", "Protocol" : "HTTP" } ], "HealthCheck" : { "Target" : { "Fn::Join" : [ "", [ "HTTP:", "12345", "/status.json" ] ] }, "HealthyThreshold" : "2", "UnhealthyThreshold" : "5", "Interval" : "60", "Timeout" : "30" }, "SecurityGroups" : [ { "Ref" : "ELBSecurityGroup" } ] } } |
Unfortunately, this fails with:
|
1 2 |
Invalid id: "sebelbtest2-ELBSecurityGroup-1F5Z5DIIVQKD1" (expecting "sg-...") |
So how can I reference ELBSecurityGroup for use as a property in the ELB creation?
Thanks!
Answer:
As my CloudFormation script is all done within a VPC, I figured out what the problem was – I was creating the Security group, but not specifying the VpcId for it.
Security groups appear to be either normal security groups, or VPC security groups; if you do { "Ref": "MySecurityGroup" } on a normal one, you get the security group name, but not the ID. If you do { "Ref": "MySecurityGroup" } on a VPC one, you get back the sg-abcdef id, which is what is required for the ELB security group parameter.
So the full answer is:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
"ELBSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Security group for the ELB", "VpcId" : { "Ref" : "VpcId" }, "SecurityGroupIngress" : [ {"IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : { "Ref" : "OfficeIp" }} ] } }, "MyELB": { "Type" : "AWS::ElasticLoadBalancing::LoadBalancer", "Properties" : { "AvailabilityZones" : { "Fn::GetAZs" : "" }, "Listeners" : [ { "LoadBalancerPort" : "80", "InstancePort" : 8000, "Protocol" : "HTTP" } ], "SecurityGroups" : [ { "Ref" : "ELBSecurityGroup" } ] } } |
This all works perfectly (provided everything you’re doing is within your VPC) and in my configuration, will successfully limit access to whatever OfficeIP is set to.