Cloudformation Add Instance to Security Group in Different Region

amazon ec2amazon-cloudformationchefJenkins

I have a Cloudformation stack that I create through Jenkins in various Regions. I have a Chef server in one Region with a separate security group. I need new instances created via Cloudformation to register/be created and add themselves to the Chef SG in us-west-1 regardless of their region.

Is this feasible?

Edit: I need to do this via the Cloudformation script as opposed to other methods for a multitude of reasons that are lengthy/convoluted.

Edit2: For clarity, I don't want the instance to be part of the SG, but rather for that the EIP of the new instance to be added as an ingress in the SG.

Best Answer

EC2/VPC Security group are region bound.

From AWS Docs

If you're using EC2-Classic, you must use security groups created specifically for 
EC2-Classic. When you launch an instance in EC2-Classic, you must specify a security
group in the same region as the instance. You can't specify a security group that
you created for a VPC when you launch an instance in EC2-Classic.

Related Solutions

Amazon EC2 – How to Add a Security Group to a Running Instance

Update 2015-02-27:

This is now possible, see the answer below.

Old reply:

Amazon's FAQ says it's not possible to define a security group anywhere but at launch time.

AWS CloudFormation: VPC default security group

Referencing the default security group is possible using:

{ "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] }

Where "VPC" is your VPC resource name.

With AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress, you can augment the permissions of this default security group.

I think this is what you want:

"VPCDefaultSecurityGroupIngress": {
  "Type" : "AWS::EC2::SecurityGroupIngress",
  "Properties" : {
    "GroupId": { "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] },
    "IpProtocol":"tcp",
    "FromPort":"22",
    "ToPort":"22",
    "CidrIp":"0.0.0.0/0"
  }
},

As mentioned by @artbristol and @gabriel, this allows Ingress/Egress rules to be added to the default security group for the VPC in a single stack deployment.

I'm pretty sure that the self-referential problem still impacts any attempts at changing any of the other properties on the default security group of the VPC. A good example of this would be adding Tags, or a Description. If you wish to change these things, you'll have to deal with extraneous security groups laying around.

Best Answer

Related Solutions

Amazon EC2 – How to Add a Security Group to a Running Instance

AWS CloudFormation: VPC default security group

Related Topic