允許同一安全組中的每個實例在Cloud Formation JSON上彼此之間共享任何數據？

Question

我正在構建Cloud Formation JSON以定義EC2實例和安全組。

我需要創建一個安全組，允許屬於它的每個實例在彼此之間共享任何數據。

我的JSON是這樣的：

"InternalSecurityGroup" : { 
    "Type" : "AWS::EC2::SecurityGroup", 
    "Properties" : { 
    "VpcId" : {"Ref" : "myVPC"}, 
    "GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other", 
    "SecurityGroupIngress" : [ 
     { 
     "IpProtocol" : "-1", 
     "FromPort": "-1", 
     "ToPort": "-1", 
     "SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup" } 
     } 
    ], 
    "SecurityGroupEgress" : [ 
     { 
     "IpProtocol" : "-1", 
     "FromPort": "-1", 
     "ToPort": "-1", 
     "DestinationSecurityGroupId" : { "Ref" : "InternalSecurityGroup" } 
     } 
    ] 

    } 
}, 

但這讓我看到以下錯誤：

A client error (ValidationError) occurred when calling the CreateStack operation: Circular dependency between resources

要解決它，我改變了我的代碼，以CidrIp而不是SourceSecurityGroupId，定義子網的情況下，都在。

是否有可能引用同一個安全組？什麼是最好（或正確）的方式來實現我想要的？

Answer 1

定義兩個安全組，這應該工作更好一點：

"InternalSecurityGroup1" : { 
    "Type" : "AWS::EC2::SecurityGroup", 
    "Properties" : { 
    "VpcId" : {"Ref" : "myVPC"}, 
    "GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other", 
    "SecurityGroupIngress" : [ { 
     "IpProtocol" : "-1", 
     "FromPort": "-1", 
     "ToPort": "-1", 
     "SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup2" } 
     } 
    ] 
    } 
} 


"InternalSecurityGroup2" : { 
    "Type" : "AWS::EC2::SecurityGroup", 
    "Properties" : { 
    "VpcId" : {"Ref" : "myVPC"}, 
    "GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other", 
    "SecurityGroupIngress" : [ { 
     "IpProtocol" : "-1", 
     "FromPort": "-1", 
     "ToPort": "-1", 
     "SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup1" } 
     } 
    ] 
    } 
} 

Answer 2

正如documentation指出，你可以使用AWS::EC2::SecurityGroupEgress和AWS::EC2::SecurityGroupIngress資源定義自引用安全組規則：

Important

If you want to cross-reference two security groups in the ingress and egress rules of those security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use the embedded ingress and egress rules in the AWS::EC2::SecurityGroup . If you do, it causes a circular dependency, which AWS CloudFormation doesn't allow.

結果看起來是這樣的：

{ 
    "Resources":{ 
     "myVPC":{ 
     "Type":"AWS::EC2::VPC", 
     "Properties":{ 
      "CidrBlock":"10.0.0.0/16" 
     } 
     }, 
     "InternalSecurityGroup":{ 
     "Type":"AWS::EC2::SecurityGroup", 
     "Properties":{ 
      "VpcId":{ 
       "Ref":"myVPC" 
      }, 
      "GroupDescription":"Allow the machines in this group to share all kinds of traffic between each other" 
     } 
     }, 
     "InternalSecurityGroupIngress":{ 
     "Type":"AWS::EC2::SecurityGroupIngress", 
     "Properties":{ 
      "IpProtocol":"-1", 
      "FromPort":"-1", 
      "ToPort":"-1", 
      "SourceSecurityGroupId":{ 
       "Ref":"InternalSecurityGroup" 
      }, 
      "GroupId":{ 
       "Ref":"InternalSecurityGroup" 
      } 
     } 
     }, 
     "InternalSecurityGroupEgress":{ 
     "Type":"AWS::EC2::SecurityGroupEgress", 
     "Properties":{ 
      "IpProtocol":"-1", 
      "FromPort":"-1", 
      "ToPort":"-1", 
      "DestinationSecurityGroupId":{ 
       "Ref":"InternalSecurityGroup" 
      }, 
      "GroupId":{ 
       "Ref":"InternalSecurityGroup" 
      } 
     } 
     } 
    } 
}