I got the following response to my respective post on the AWS CloudFormation Forum:
Posted by: Adam@AWS Posted on: Nov 7, 2012 9:05 AM in response to:
Edwin G. Landy Reply Helpful Edwin,
You can install an MSI package in much the same way as a yum package.
For instance:
"packages" : {
"msi" : {
"mysql" : "URL or path to file on disk",
"package2" : "path to another MSI"
}
}
Note that the names do not matter - cfn-init will extract the
ProductCode from the MSI in order to determine if the package is
already installed or not. MSIs are also installed for all users with
reboots suppressed.
I'm afraid we do not actually support services on Windows yet, but it
is a feature that is definitely on our roadmap. Until then you can use
the "net" command from within the command section to start services
from cfn-init.
Thanks, Adam
Referencing the default security group is possible using:
{ "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] }
Where "VPC" is your VPC resource name.
With AWS::EC2::SecurityGroupIngress
and AWS::EC2::SecurityGroupEgress
, you can augment the permissions of this default security group.
I think this is what you want:
"VPCDefaultSecurityGroupIngress": {
"Type" : "AWS::EC2::SecurityGroupIngress",
"Properties" : {
"GroupId": { "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] },
"IpProtocol":"tcp",
"FromPort":"22",
"ToPort":"22",
"CidrIp":"0.0.0.0/0"
}
},
As mentioned by @artbristol and @gabriel, this allows Ingress/Egress rules to be added to the default security group for the VPC in a single stack deployment.
I'm pretty sure that the self-referential problem still impacts any attempts at changing any of the other properties on the default security group of the VPC. A good example of this would be adding Tags, or a Description. If you wish to change these things, you'll have to deal with extraneous security groups laying around.
Best Answer
This is what you're looking for:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html
Quick sample: