AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Is it not possible to create a AmazonMQ broker and a EC2 SecurityGroup in the same cloud formation?

0

I have the following cloud formation:

Resources:
  ActiveMQSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for Amazon MQ that allows traffic for all supported protocols and GUI access.
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 61616
          ToPort: 61616
          CidrIp: 0.0.0.0/0
          Description: OpenWire

  MyBroker:
    Type: AWS::AmazonMQ::Broker
    DependsOn: ActiveMQSecurityGroup
    Properties:
      AutoMinorVersionUpgrade: true
      BrokerName: MyBroker
      DeploymentMode: SINGLE_INSTANCE
      EngineType: ACTIVEMQ
      EngineVersion: 5.17.6
      HostInstanceType: mq.t3.micro
      PubliclyAccessible: true
      SecurityGroups:
        - !Ref ActiveMQSecurityGroup
      Logs:
        Audit: true
        General: true
      Users:
          -
            Username: '{{resolve:secretsmanager:MQSecret:SecretString:username}}'
            Password: '{{resolve:secretsmanager:MQSecret:SecretString:password}}'
            ConsoleAccess: true
            Groups:
              - admin

But I get an error saying that the security group does not exists. If I look in the console I can see that the security group was indeed created before the broker. Also if I leave the SecurityGroups out, everything is created and the broker is connected to the default security group. My understanding was that DependsOn (and implicitly via !Ref) would solve this kinda issue.

주제
관리 및 거버넌스애플리케이션 통합네트워킹 및 콘텐츠 전송
태그
AWS CloudFormation아마존 MQ보안 그룹
언어
English
gustavelm
질문됨 6달 전202회 조회
1개 답변
1
수락된 답변

Hi,

If you are using the default VPC, you can try to explicitly mention the VPCId of the default VPC in the Security Group configuration.
Something like this:

ActiveMQSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for Amazon MQ that allows traffic for all supported protocols and GUI access.
      VpcId: "vpc-012345678abc12de3f"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 61616
          ToPort: 61616
          CidrIp: 0.0.0.0/0
          Description: OpenWire

I tried making this change and it did not give any error, successfully deploying the cloudformation stack and MQ Broker.

Outputs

CloudformationOutput MQOutput

I hope this resolves the issue.

Thanks,
Atul

profile picture
IBAtulAnand
답변함 6달 전
  • gustavelm
    6달 전

    Huh, it works! But I have to admit the error was very vague... And the docs says Required: Conditional on the VpcId for AWS::EC2::SecurityGroup. Anyways - thank you!

  • IBAtulAnand
    6달 전

    Glad that it helped!

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠