8

Currently, our AWS infrastructure has many instances which are attached to security groups, which I created in the console.

We are re-structuring our security groups with CloudFormation, thus we can have a comment and description in each rule.

My question is:

  • When I create a new Security Group with CloudFormation, how can I add it to an existing EC2 instance, without removing the instance
  • I saw some stack templates in AWS, but they only have a template to create a new Instance with a security group, so I have no idea how to create a stack for only security groups. And if I update the stack, does it apply to all instance immediately?
  • How can I export current security groups to JSON, so I don't have to re-create all the security groups in CloudFormation?
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Tien Dung Tran
  • 1,127
  • 4
  • 16
  • 32

2 Answers2

9

You can't.

Amazon CloudFormation templates can create resources, and those resources can refer to other resources within the same template. For example, you could create a Security Group and an Instance, and configure the Instance to use the Security Group. When making such references within the template, resources can be referenced by name (eg SecurityGroup1, Web Server).

If you wish resources within a CloudFormation to be associated with resources that already exist, you will need to refer to the external resource via its unique ID.

For example, it is possible to create an Amazon EC2 instance within a CloudFormation template, and refer to an existing security group.

However, your need is the reverse! You wish to modify an existing resource to point to a new resource. For example, modify an existing Instance to point to a new Security Group. This is not possible within a CloudFormation template, because it can only create resources and configure those resources -- it cannot modify resources outside of the template.

Logically, security groups need to exist before creating an Amazon EC2 instance since the instance links to the security groups.

Exporting to JSON

If you wish to export an existing resource to a CloudFormation template (eg export current Security Group definitions), you could use:

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thanks you. so I think I just create security groups by cloudformation, then I will go to aws console to manual change in each instances. After I need to change something in security group, I will edit in cloudformation and update stack. Does it make sense? – Tien Dung Tran May 25 '17 at 08:37
  • Yes, that is the right way to go, given your circumstances. – John Rotenstein May 25 '17 at 12:41
  • @JohnRotenstein, this seems to be one of the basic requirement. If i can't modify existing resources with cloudformation, what are the advantages i have with it over ansible or terraform, with which i can modify the existing resources. – PMat Dec 20 '17 at 20:36
  • 1
    @PMat You can use CloudFormation to modify resources created by CloudFormation, by simply modifying the template/parameters on the stack that originally created the resource. But you can't use CloudFormation to modify resources that were *not* created by CloudFormation, since it has no knowledge of them. – John Rotenstein Dec 20 '17 at 21:30
  • So far I had tied up the Security groups as part of instance and loadbalancer creations in separate templates. But now, you gave an insight of creating the security groups ahead and referring them in different templates. thanks a ton. – Santosh Kumar Arjunan Feb 05 '19 at 15:54
-2

Adding security group(s) won't recreate your instance just modifies that.

You can test it:

  • add a security group, execute the changeset
  • add that security group to your instance (in same template) and make a changeset again
YourSecurityGroup:
  < enter code here >

YourInstance:
  Properties:
   SecurityGroupIds:
     - !Ref YourSecurityGroup
Zoltan Szabo
  • 87
  • 1
  • 3
  • 1
    If you created the already running instance via CloudFormation, then just update the list of SecurityGroupIds (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-securitygroupids) and it'll not destroy the instance. If you defined the security groups under `NetworkInterfaces`, then updating this will replace the instance. – Kaarel Apr 26 '19 at 12:29
  • Would you like to say that the example above doesn't work? Have you tried? – Zoltan Szabo Oct 25 '21 at 00:15