AWS Cloudformation - Add condition to security group egress rule

Question

How can I add a condition to an SecurityGroupIngress rule in a Security group resource? So for example if environment parameter is set to "prod" it will open both port 80 and 443 but if its set to "test" it will only open port 80.

Example template:

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  EnvType:
    Description: Environment type.
    Default: test
    Type: String
    AllowedValues:
      - prod
      - test
    ConstraintDescription: must specify prod or test.
Conditions:
  CreateProdResources: !Equals 
    - Ref: EnvType
    - prod
Resources:
  WebSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Web server
      GroupName: web
      VpcId: vpc-abc01234
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0

berenbums · Answer 1 · 2022-04-19T14:03:41.497

You have already defined the condition that is required for this, now you can make use of the intrinsic If function and the NoValue pseudo parameter:

  WebSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Web server
      GroupName: web
      VpcId: vpc-abc01234
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - !If
          - CreateProdResources
          - IpProtocol: tcp
            FromPort: 443
            ToPort: 443
            CidrIp: 0.0.0.0/0
          - !Ref AWS::NoValue

AWS Cloudformation - Add condition to security group egress rule

1 Answers1