创建新的ec2 CloudFormation时更新现有安全组

时间:2016-10-03 17:25:49

标签: amazon-web-services amazon-ec2 amazon-cloudformation

我有使用这样的cfn模板创建的ec2实例:

参数:

"VPCId": {
    "Type":  "AWS::EC2::VPC::Id"
    "Description": "The VPC Id to where this instance is being created"
}
"Subnet": {
  "Description": "Subnet to put Instance",
  "Type": "AWS::EC2::Subnet::Id",
},

拥有以下安全组:

"InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Enables access to instance by port 80",
        "VPCId": {
            "Ref": "VPCId"
        },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": "80",
            "ToPort": "80",
            "CidrIp": {
              "Ref": "ClientCIDR"
            }
          }
        ]
      },

实例资源的一部分:

"WebServer": {
  "Type": "AWS::EC2::Instance",
  "Properties": {
    "IamInstanceProfile": "access-profile",
    "SecurityGroupIds": [
      { "Fn::GetAtt": [
          "InstanceSecurityGroup",
          "GroupId"
        ]
      }
    ],
    "SubnetId": {
      "Ref": "Subnet"
    },

我想使用另一个模板创建一些其他实例。此实例应该可以通过端口22访问上述实例,并在UserData中连接到它。

我不确定它是如何组织的,我看到的一种方法是在建立与第一个实例的ssh连接之前使用aws cli通过UserData更新安全组。如何使用资源进行组织?我没有找到任何关于此的信息或示例。请帮忙!谢谢!

1 个答案:

答案 0 :(得分:2)

您可以修改InstanceSecurityGroup以允许其他实例访问:

"InstanceSecurityGroup": {
  "Type": "AWS::EC2::SecurityGroup",
  "Properties": {
    "GroupDescription": "Enables access to instance by port 80",
    "VPCId": {
        "Ref": "VPCId"
    },
    "SecurityGroupIngress": [
      {
        "IpProtocol": "tcp",
        "FromPort": "80",
        "ToPort": "80",
        "CidrIp": {
          "Ref": "ClientCIDR"
        }
      },
      {
        "IpProtocol": "tcp",
        "FromPort": "22",
        "ToPort": "22",
        "SourceSecurityGroupId": {
          "Ref": "OtherInstancesSecurityGroup"
        }
      }
    ]
  },

其中OtherInstancesSecurityGroup是新的安全组,您将分配其他实例。