I'm designing a cloudformation template, but I need to choose between several security groups
I have defined a parameter and two conditions to enable one policy or another that has the same name (to maintain dependencies)
But the template does not work for both options,
When the parameter has the True option the stack works,and with the value False shows the following error:
Template format error: Unresolved resource dependencies [mySecurityGroup] in the Resources block of the template
this is the fragment of the template:
Parameters:
KeyName:
Description: EC2 KeyPair
Type: 'AWS::EC2::KeyPair::KeyName'
Reception:
Description: Enable reception
Default: False
Type: String
AllowedValues:
- True
- False
Conditions:
Enable:
!Equals [True, !Ref Reception]
Disable:
!Equals [False, !Ref Reception]
Resources:
myVPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
InstanceTenancy: default
Tags:
- Key: Name
Value: myVPC
mySubNet:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref myVPC
CidrBlock: 10.0.0.0/24
Tags:
- Key: Name
Value: mySubNet
mySecurityGroup:
Condition: Disable
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: !Ref myVPC
GroupDescription: Security Group for EC2
SecurityGroupIngress:
- IpProtocol: udp
FromPort: 4114
ToPort: 4114
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: mySecurityGroup
mySecurityGroup:
Condition: Enable
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: !Ref myVPC
GroupDescription: Security Group for EC2
SecurityGroupIngress:
- IpProtocol: udp
FromPort: 5683
ToPort: 5683
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: mySecurityGroup
myEC2:
Type: 'AWS::EC2::Instance'
Properties:
KeyName: !Ref KeyName
ImageId: ami-028188d9b49b32a80
InstanceType: t2.nano
NetworkInterfaces:
- SubnetId: !Ref mySubNet
AssociatePublicIpAddress: 'true'
DeviceIndex: 0
GroupSet:
- !Ref mySecurityGroup
Tags:
- Key: Name
Value: myEC2
I'm not sure which is the right way
Well hell, I can't leave a comment since my Rep is 48, not 50. :(
Anyway, I don't have an actual ANSWER to your question, but I hope what I have here will help you along.
Conditions:
Enable:
!Equals [True, !Ref Reception]
Disable:
!Equals [False, !Ref Reception]
1a. This isn't going to work. You just need one conditional statement:
Conditions: # Checks to see if Conditional Values are True
ReceptionYes: !Equals [ !Ref Reception, True]
You need a conditional line in Resources like (Where I am stuck, is where to put this line below):
!If [ReceptionYes, !Ref mySecurityGroup2, !Ref mySecurityGroup1]
First !Ref if True, else, use second !Ref
Now, in THEORY, you SHOULD be able to do the following:
mySecurityGroup1:
Condition: Disable
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: !Ref myVPC
GroupDescription: Security Group for EC2
SecurityGroupIngress:
- IpProtocol: udp
FromPort: 4114
ToPort: 4114
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: mySecurityGroup
mySecurityGroup2:
Condition: Enable
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: !Ref myVPC
GroupDescription: Security Group for EC2
SecurityGroupIngress:
- IpProtocol: udp
FromPort: 5683
ToPort: 5683
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: mySecurityGroup
Well, if this doesn't work, I hope it gets you a bit closer to an answer. :D