0

I have a Cloudformation stack that I create through Jenkins in various Regions. I have a Chef server in one Region with a separate security group. I need new instances created via Cloudformation to register/be created and add themselves to the Chef SG in us-west-1 regardless of their region.

Is this feasible?

Edit: I need to do this via the Cloudformation script as opposed to other methods for a multitude of reasons that are lengthy/convoluted.

Edit2: For clarity, I don't want the instance to be part of the SG, but rather for that the EIP of the new instance to be added as an ingress in the SG.

Publiccert
  • 1,112
  • 1
  • 8
  • 22

2 Answers2

1

EC2/VPC Security group are region bound.

From AWS Docs

If you're using EC2-Classic, you must use security groups created specifically for 
EC2-Classic. When you launch an instance in EC2-Classic, you must specify a security
group in the same region as the instance. You can't specify a security group that
you created for a VPC when you launch an instance in EC2-Classic.
typositoire
  • 176
  • 4
  • I'm not trying to use the SG in another region. I'm trying to add the EIP of $newinstance to a SG in us-west-1 as in ingress of $EIP - 443. Sorry for the lack of clarity. – Publiccert Jan 16 '14 at 23:48
  • You could create a script to deploy through CloudFormation and then edit your sg using EC2-CLI. CloudFormation Commands: http://docs.aws.amazon.com/cli/latest/reference/cloudformation/index.html EC2-CLI Doc: http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/Welcome.html I don't think you can do it from the AWS Console :/ – typositoire Jan 16 '14 at 23:56
0

It is feasible.

What you want is to have an security group in a security group. It work exactly how it sound.

1) Create security groups called SG-CLIENT and SG-INGRESS

2) For your CHEF instance, tag it with the SG-INGRESS security group. In the SG-INGRESS security group, add a rule to enable access to CHEF ports, using a source of 'SG-CLIENT'

3) Using cloud formation template/script, tag any new instances to the SG-CLIENT security group.

Refer to picture here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#adding-security-group-rule for example of security group in rules.

Refer to https://s3.amazonaws.com/cloudformation-templates-us-east-1/EC2InstanceWithSecurityGroupSample.template for registration of an instance in a security group through a cloud formation template.

Note: API documentation seems to hint toward allowing using someone else 'security group' as the source by using 'account ID/security group name'. This should be helpful if you try doing this across regions. Info: http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-AuthorizeSecurityGroupIngress.html

CloudWeavers
  • 2,531
  • 1
  • 15
  • 17
  • This is a very neat idea but doesn't seem to work between regions. – Publiccert Jan 17 '14 at 18:49
  • Between regions, I would simply do it with a configuration management system & deployment scripts automatically assigning IP to security group through EC2 API. – CloudWeavers Jan 19 '14 at 22:15