如何添加引用另一个安全组的cloudformation安全组入口规则?

时间:2017-04-27 22:48:22

标签: amazon-web-services amazon-cloudformation

我在yaml模板中有以下安全组。我想让“SecurityGroupApplication”安全组允许来自“SecurityGroupBastion”的传入连接。但是,aws客户端的validate-template函数告诉我无用的信息,如“不支持的结构”。好的,但结构有什么问题?想法?

Resources:
  SecurityGroupBastion:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Bastion security group
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          IpProtocol: tcp
          FromPort: 22
          ToPort: 22
      VpcId: !Ref vpcId
  SecurityGroupApplication:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Application security group
      SecurityGroupIngress:
        - SourceSecurityGroupId: !Ref SecurityGroupBastion
          IpProtocol: tcp

2 个答案:

答案 0 :(得分:1)

如果您希望SecurityGroupApplication成为安全组,则应使用Type: AWS::EC2::SecurityGroup代替Type: AWS::EC2::SecurityGroupIngress。这可能是您所看到的“不支持的结构”错误的原因。

答案 1 :(得分:1)

除了必须为App安全组指定端口外,您的模板才能完美找到我:

Resources:
  SecurityGroupBastion:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Bastion security group
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          IpProtocol: tcp
          FromPort: 22
          ToPort: 22
      VpcId: vpc-abcd1234
  SecurityGroupApplication:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Application security group
      SecurityGroupIngress:
        - SourceSecurityGroupId: !Ref SecurityGroupBastion
          IpProtocol: tcp
          FromPort: 22
          ToPort: 22
相关问题
最新问题