CloudFormation-安全组VPC问题

本文介绍了CloudFormation-安全组VPC问题的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我有一个模板，该模板可创建ELB并在VPC内连接现有子网。这样做很好，但是当我随后更新堆栈并添加一个安全组，该安全组的VpcId属性的值等于我所连接的子网所属的现有VPC ID时，堆栈将失败，并显示以下错误：

I have a template which creates an ELB and attaches an existing subnet within a VPC. This creates just fine but when I then update my stack and add a security group with a VpcId property with a value equal to the existing VPC ID in which my attached subnet belongs the stack fails with the following error:

如果我从安全组中删除VpcId属性，它将在我的默认VPC中创建它，并且堆栈创建成功。我不明白为什么会这样，因为安全组在指定的入口规则中与ELB有关系-

If I remove the VpcId property from my security group it creates it in my default VPC and the stack creation works. I cannot understand why this can be because the security group has a relationship to the ELB in the specified ingress rules -

"IpProtocol": "tcp",
            "FromPort": "8000",
            "ToPort": "8010",
            "SourceSecurityGroupOwnerId": {
              "Fn::GetAtt": [
                "ElasticLoadBalancer",
                "SourceSecurityGroup.OwnerAlias"
              ]
            },

我无法在ELB上明确声明VPC ID，因为它没有此类属性，只有子网或AZ。

I cannot explicitly state the VPC ID on the ELB as it has no such property, only Subnet or AZ.

推荐答案

感谢您的帮助。我找到了问题并解决了问题。

Thanks for your help guys. I found the issue and solved the problem.

问题是我试图在安全组定义中的安全组入口定义中引用另一个安全组。如文档所述：

The issue is that I am trying to reference one security group from another in the security group ingress definition within the security group definition. As the documentation says:

因此，我指定了两个安全组，然后在单独的资源中指定了SecurityGroupIngress。必须将此手动输入到模板中，因为此资源的左侧菜单中没有CloudFormation图标。花了一段时间才弄清楚，因为我创建堆栈时生成的错误消息并不明显。

So, I specified my two security groups then specified a SecurityGroupIngress in a separate resource. This must be entered manually into the template as there is no CloudFormation icon from the left hand menu for this resource. It took a while to figure out because the error message generated when I created the stack doesn't make it obvious.

"InstanceIngress": {
  "Type": "AWS::EC2::SecurityGroupIngress",
  "Properties": {
    "GroupId": {
      "Fn::GetAtt": [
        "InstanceSecurityGroup",
        "GroupId"
      ]
    },
    "IpProtocol": "tcp",
    "FromPort": "7997",
    "ToPort": "8100",
    "SourceSecurityGroupId": {
      "Fn::GetAtt": [
        "ELBSecurityGroup",
        "GroupId"
      ]
    }
  },

这篇关于CloudFormation-安全组VPC问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！