How to combine CFT resource lists for the SecurityGroupIds property of EC2::Instance?

We're creating several instances via CloudFormation that will each have multiple security groups attached: one SG that's created in the same CFT stack along with its instance (so that each instance has its own unique SG), and then two or three more pre-existing SGs entered as parameters during stack creation.

The instance-specific SG gets created but nothing else done to it during stack deployment; it gets programmatically accessed later, we're just putting in place for now:

Resources:
 UniqueAndSpecificSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    VpcId: !Ref TheVPCWhereIt'sGoing
    GroupDescription:  something meaningful and profound here
    Tags:    ....

That part works fine.

Getting the list of existing SGs is straightforward, as we have

Parameters:
  ExistingSGList:
    Description:  again, our descriptions are pure poetry
    Type: List<AWS::EC2::SecurityGroup::Id>
    # can't do Default entries unless the type is a CommaDelimitedList

This gives a dropdown list showing all the SGs in the account. (Sadly, there's no way to programmatically restrict the list to only the SGs that actually exist in the same VPC where the instance is being created. Life is hard.) The architect deploying the stack can select the combination of security groups they want for this group of instances. That part also works fine.

The trouble comes when we try to apply both the single created SG, and an arbitrary list (only a few total, obviously, since the limit of #SGs that can be attached is small, but the combinations of available SGs is considerable) when creating the actual instance:

Resources:
  InstanceBeingCreated:
    Type: AWS::EC2::Instance
    Properties:
      SecurityGroupIds:
        - !Ref ExistingSGList
        - !Ref UniqueAndSpecificSecurityGroup

That fails, because CFN hates the list-of-lists. YAML doesn't seem to have a standard way of "flattening" the list, or adding another entry to it; if it does I would love to learn the syntax.

I also tried repeating the properties, in the hope that they would accumulate:

      SecurityGroupIds:
        - !Ref ExistingSGList
      SecurityGroupIds:
        - !Ref UniqueAndSpecificSecurityGroup

CFN was fine with that, but silently replaced the first property with the second; the instance gets deployed with only the last one. Okay, not surprising.

Is there some kind of !Join invocation that will let me expand the arbitrary list, add the other unique SG, and then glom them back together into one list that I can give to SecurityGroupIds? I'm familiar with the Join function, but have very little experience trying to manipulate YAML arrays.

Topics

Management & Governance

Relevant content

Attached ENI trunk to custom security group in cloudformation
Kim Hang
asked a year ago
Adding an existing security group CloudFormation EC2 template
Accepted Answer
witchkinkofangmar
asked 5 years ago
Create Security group inbound for the the RDS
HingeAjit
asked 5 months ago
Get list resource names within the CFT
AGS
asked 9 months ago
How do I use multiple values for individual parameters in an AWS CloudFormation template?
AWS OFFICIALUpdated a year ago
How do I combine multiple CloudWatch alarms into one alarm?
AWS OFFICIALUpdated 22 days ago
How do I set the properties of a root volume for an Amazon EC2 instance that I created using an AWS CloudFormation template?
AWS OFFICIALUpdated 2 years ago
How do I resolve the error "Failed to receive X resource signal(s) within the specified duration" for EC2 Windows instances in AWS CloudFormation?
AWS OFFICIALUpdated a month ago
Allow Listing in AWS Security Groups
EXPERT
Rob_H
published 2 years ago
CloudFormation Auto Scaling Group sample template for mixed X86 (Intel, AMD) and AWS Graviton instances
EXPERT
MichaelFischer
published 7 months ago