1

I am trying to write an cloudformation template where a security group ingress rule will contain an security group of an existing EC2 instance. It should have the following property:

  • User dont have to enter the security group as parameter.
  • Cloudformation will not create the ec2.
  • Instead the cloudformation will search for that existing instance and findout its security group and then we will use that using Fn::GetAttr may be.

I know we can do a describe-instance from aws cli and put the security group as input of cloudformation template but I was thinking can the same be done from Cloudformation template itself.

A small example would be helpful. Thanks

matsev
  • 32,104
  • 16
  • 121
  • 156
Sumit
  • 856
  • 5
  • 18
  • 38

1 Answers1

1

I was thinking can the same be done from Cloudformation template itself.

Yes, it can be done using custom resources. The custom resource would a lambda function which would use AWS SDK's describe-instance to do the search, find the security group id, and return to the CloudFormation.

Regarding the example, you can have a look at my answer to this question. For the answer I developed similar custom resource. It was getting info about Elastic Beanstalk resource, but it could be modified to use describe_instances instead of describe_environment_resources to suit your needs.

Marcin
  • 215,873
  • 14
  • 235
  • 294