允许同一安全组中的每个实例在Cloud Formation JSON上彼此之间共享任何数据？

Question

我正在构建Cloud Formation JSON以定义EC2实例和安全组。

我需要创建一个安全组，允许属于它的每个实例在彼此之间共享任何数据。

我的JSON是这样的：

"InternalSecurityGroup" : { 
    "Type" : "AWS::EC2::SecurityGroup", 
    "Properties" : { 
    "VpcId" : {"Ref" : "myVPC"}, 
    "GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other", 
    "SecurityGroupIngress" : [ 
     { 
     "IpProtocol" : "-1", 
     "FromPort": "-1", 
     "ToPort": "-1", 
     "SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup" } 
     } 
    ], 
    "SecurityGroupEgress" : [ 
     { 
     "IpProtocol" : "-1", 
     "FromPort": "-1", 
     "ToPort": "-1", 
     "DestinationSecurityGroupId" : { "Ref" : "InternalSecurityGroup" } 
     } 
    ] 

    } 
}, 

但这让我看到以下错误：

A client error (ValidationError) occurred when calling the CreateStack operation: Circular dependency between resources

要解决它，我改变了我的代码，以CidrIp而不是SourceSecurityGroupId，定义子网的情况下，都在。

是否有可能引用同一个安全组？什么是最好（或正确）的方式来实现我想要的？

Answer 1

定义两个安全组，这应该工作更好一点：

"InternalSecurityGroup1" : { 
    "Type" : "AWS::EC2::SecurityGroup", 
    "Properties" : { 
    "VpcId" : {"Ref" : "myVPC"}, 
    "GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other", 
    "SecurityGroupIngress" : [ { 
     "IpProtocol" : "-1", 
     "FromPort": "-1", 
     "ToPort": "-1", 
     "SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup2" } 
     } 
    ] 
    } 
} 


"InternalSecurityGroup2" : { 
    "Type" : "AWS::EC2::SecurityGroup", 
    "Properties" : { 
    "VpcId" : {"Ref" : "myVPC"}, 
    "GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other", 
    "SecurityGroupIngress" : [ { 
     "IpProtocol" : "-1", 
     "FromPort": "-1", 
     "ToPort": "-1", 
     "SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup1" } 
     } 
    ] 
    } 
} 

Answer 2

正如documentation指出，你可以使用AWS::EC2::SecurityGroupEgress和AWS::EC2::SecurityGroupIngress资源定义自引用安全组规则：

Important

If you want to cross-reference two security groups in the ingress and egress rules of those security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use the embedded ingress and egress rules in the AWS::EC2::SecurityGroup . If you do, it causes a circular dependency, which AWS CloudFormation doesn't allow.

结果看起来是这样的：

{ 
    "Resources":{ 
     "myVPC":{ 
     "Type":"AWS::EC2::VPC", 
     "Properties":{ 
      "CidrBlock":"10.0.0.0/16" 
     } 
     }, 
     "InternalSecurityGroup":{ 
     "Type":"AWS::EC2::SecurityGroup", 
     "Properties":{ 
      "VpcId":{ 
       "Ref":"myVPC" 
      }, 
      "GroupDescription":"Allow the machines in this group to share all kinds of traffic between each other" 
     } 
     }, 
     "InternalSecurityGroupIngress":{ 
     "Type":"AWS::EC2::SecurityGroupIngress", 
     "Properties":{ 
      "IpProtocol":"-1", 
      "FromPort":"-1", 
      "ToPort":"-1", 
      "SourceSecurityGroupId":{ 
       "Ref":"InternalSecurityGroup" 
      }, 
      "GroupId":{ 
       "Ref":"InternalSecurityGroup" 
      } 
     } 
     }, 
     "InternalSecurityGroupEgress":{ 
     "Type":"AWS::EC2::SecurityGroupEgress", 
     "Properties":{ 
      "IpProtocol":"-1", 
      "FromPort":"-1", 
      "ToPort":"-1", 
      "DestinationSecurityGroupId":{ 
       "Ref":"InternalSecurityGroup" 
      }, 
      "GroupId":{ 
       "Ref":"InternalSecurityGroup" 
      } 
     } 
     } 
    } 
}