Search code examples
amazon-web-servicesamazon-ec2aws-cloudformationamazon-vpcaws-security-group

Security Group Issue with launching an EC2 instance with CloudFormation

I am trying to launch an EC2 instance into a public subnet but when I try to launch the CF template I keep getting the error:

The parameter groupName cannot be used with the parameter subnet

This is the CF template for the subnet, EC2 instance, and security group.

# VPC
  VPC:
    Type: "AWS::EC2::VPC"
    Properties:
      CidrBlock: 10.0.0.0/24
      EnableDnsSupport: true
      InstanceTenancy: "default"

# Public subnet
  PublicSubnet:
    Type: "AWS::EC2::Subnet"
    Properties:
      AvailabilityZone: "us-east-1a"
      CidrBlock: 10.0.0.0/28
      VpcId: !Ref VPC

# EC2 Security Group
  SecurityGroupForEC2:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: "This security group allows SSH access into the bastion hosts from your personal IP"
      GroupName: "SecurityGroup-For-Public-Subnet"
      SecurityGroupIngress:
        - CidrIp: My IP
          Description: "Allows SSH Access into the bastion Hosts"
          FromPort: 22
          IpProtocol: 6
          ToPort: 22
      VpcId: !Ref VPC


# EC2 Instances for bastion hosts
  BastionHostEC2:
    Type: "AWS::EC2::Instance"
    Properties:
      AvailabilityZone: "us-east-1a"
      InstanceType: "t2.micro"
      ImageId: ami-0be2609ba883822ec # Amazon Linux 2
      KeyName: My-Keys
      SecurityGroups:
        - !Ref SecurityGroupForPublicSubnet
      SourceDestCheck: false
      SubnetId: !Ref PublicSubnet

The error keeps coming up when the CF stack tries to create the instance. I'm not sure what to do here because I should be able to associate a security group with the ec2 instance correct? Is this the result of the security group already being associated with the VPC? Any advice would be greatly appreciated.

Solution

  • There are at least two issues in the code:

    1. SecurityGroupForPublicSubnet does not exist. I guess it should be SecurityGroupForEC2. I assume yes.

    2. SecurityGroups can't be used for non-default VPC. Since you are creating your own VPC, it fails. You should be using SecurityGroupIds as shown in the fixed code below

    Resources:

  VPC:
    Type: "AWS::EC2::VPC"
    Properties:
      CidrBlock: 10.0.0.0/24
      EnableDnsSupport: true
      InstanceTenancy: "default"

# Public subnet
  PublicSubnet:
    Type: "AWS::EC2::Subnet"
    Properties:
      AvailabilityZone: "us-east-1a"
      CidrBlock: 10.0.0.0/28
      VpcId: !Ref VPC

# EC2 Security Group
  SecurityGroupForEC2:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: "This security group allows SSH access into the bastion hosts from your personal IP"
      GroupName: "SecurityGroup-For-Public-Subnet"
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          Description: "Allows SSH Access into the bastion Hosts"
          FromPort: 22
          IpProtocol: 6
          ToPort: 22
      VpcId: !Ref VPC


# EC2 Instances for bastion hosts
  BastionHostEC2:
    Type: "AWS::EC2::Instance"
    Properties:
      AvailabilityZone: "us-east-1a"
      InstanceType: "t2.micro"
      ImageId: ami-0be2609ba883822ec # Amazon Linux 2
      #KeyName: My-Keys
      SecurityGroupIds:
        - !GetAtt SecurityGroupForEC2.GroupId
      SourceDestCheck: false
      SubnetId: !Ref PublicSubnet