AWS CloudFormation YAML template - appending to list parameter types.

README.md

AWS CloudFormation YAML template - appending to list parameter types

Documenting this here, as I often forget (what I have found) is the best way to do this at the moment.

For example, you have a list of two existing security groups given to a stack and wish to create (and use) a third - attaching all to an ALB:

AWSTemplateFormatVersion: '2010-09-09'
Description: Example template

Parameters:
  VPC:
    Type: AWS::EC2::VPC::Id

  ALBSubnetList:
    Type: List<AWS::EC2::Subnet::Id>

  securityGroupIdList:
    Type: List<AWS::EC2::SecurityGroup::Id>

Resources:
  ALBInstance:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: My ALB
      Scheme: internal
      SecurityGroups: !Split
        - ','
        - !Sub
          - ${idList},${ALBSecurityGroup}
          - idList: !Join [',', !Ref securityGroupIdList]
      Subnets: !Ref ALBSubnetList

  ALBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: My new ALB security group
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          FromPort: 443
          IpProtocol: tcp
          ToPort: 443
      VpcId: !Ref VPC

What's happening here:

• Taking given securityGroupIdList list of strings and using !Join to create a single string delimited with commas.
• Next, using !Sub we join this string (with a comma) to our new group resource ID of ALBSecurityGroup.
• Finally, re-split via !Split the complete string on commas, returning result as a list of strings passed to SecurityGroups.

Thanks I think this is what I'm looking for.
However, I'm a bit stuck on the internals of how your Sub works here and how idList is supposed to work.
I can't get it working with my case.

@iDVB - look here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-sub.html

!Sub offers a second form where you can define one or more name/value pairs - which can then be used in the substitution string - rather than trying to inline everything into a ${STATEMENT} block - which is often messy to debug/work with.

So here I'm creating a single named value of idList - which is then used by the sub in it's opening argument.

Sad thing is I don't think there's any way to make this support securityGroupIdList being empty...

@jedwards1211 Can a List<AWS::EC2::SecurityGroup::Id> be empty? I thought it could? If so, can combine this with an !if to make that a reality.

Thank you!!!

Alternative that doesn't use !Sub:

      SecurityGroups: !Split
        - ","
        - !Join
            - ","
            - - !GetAtt ALBSecurityGroup.GroupId
              - !Join 
                  - ","
                  - !Ref "securityGroupIdList"

This also works if securityGroupIdList has no entries

@elexisvenator very nice!

Would be really nice if you could get a parameter of type ListAWS::EC2::SecurityGroup::Id to pass validation with no value :(

Unless I've missed something...been banging my head against this for ages....so would love to find out a way around it!

Thank you i could fix my issue on which i was working for whole day.

Can someone help with the similar question below.

https://stackoverflow.com/questions/70185773/aws-cft-how-to-append-list-parameter-to-list-of-static-string-options

Alternative that doesn't use !Sub:

      SecurityGroups: !Split
        - ","
        - !Join
            - ","
            - - !GetAtt ALBSecurityGroup.GroupId
              - !Join 
                  - ","
                  - !Ref "securityGroupIdList"

This also works if securityGroupIdList has no entries

God bless you!

Hi is there a way to make "ALBSecurityGroup.GroupId" optional? In my situation, 'securityGroupIdList' will always contain at least one SG, but my ALBSecurityGroup.GroupId might be empty in some cases. Is there a way to make that work?
Thank You in advance!