Skip to content

Instantly share code, notes, and snippets.

@magnetikonline
Last active September 25, 2023 13:57
Show Gist options
  • Save magnetikonline/a6cfc522a1e9f876b75962f5f553c8e5 to your computer and use it in GitHub Desktop.
Save magnetikonline/a6cfc522a1e9f876b75962f5f553c8e5 to your computer and use it in GitHub Desktop.
AWS CloudFormation YAML template - appending to list parameter types.

AWS CloudFormation YAML template - appending to list parameter types

Documenting this here, as I often forget (what I have found) is the best way to do this at the moment.

For example, you have a list of two existing security groups given to a stack and wish to create (and use) a third - attaching all to an ALB:

AWSTemplateFormatVersion: '2010-09-09'
Description: Example template

Parameters:
  VPC:
    Type: AWS::EC2::VPC::Id

  ALBSubnetList:
    Type: List<AWS::EC2::Subnet::Id>

  securityGroupIdList:
    Type: List<AWS::EC2::SecurityGroup::Id>

Resources:
  ALBInstance:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: My ALB
      Scheme: internal
      SecurityGroups: !Split
        - ','
        - !Sub
          - ${idList},${ALBSecurityGroup}
          - idList: !Join [',', !Ref securityGroupIdList]
      Subnets: !Ref ALBSubnetList

  ALBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: My new ALB security group
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          FromPort: 443
          IpProtocol: tcp
          ToPort: 443
      VpcId: !Ref VPC

What's happening here:

  • Taking given securityGroupIdList list of strings and using !Join to create a single string delimited with commas.
  • Next, using !Sub we join this string (with a comma) to our new group resource ID of ALBSecurityGroup.
  • Finally, re-split via !Split the complete string on commas, returning result as a list of strings passed to SecurityGroups.
@beauchar
Copy link

beauchar commented Oct 1, 2019

Would be really nice if you could get a parameter of type ListAWS::EC2::SecurityGroup::Id to pass validation with no value :(

Unless I've missed something...been banging my head against this for ages....so would love to find out a way around it!

@heenar2017
Copy link

Thank you i could fix my issue on which i was working for whole day.

@SivaBurramukkuTR
Copy link

@sandytoshev
Copy link

Alternative that doesn't use !Sub:

      SecurityGroups: !Split
        - ","
        - !Join
            - ","
            - - !GetAtt ALBSecurityGroup.GroupId
              - !Join 
                  - ","
                  - !Ref "securityGroupIdList"

This also works if securityGroupIdList has no entries

God bless you!

@leecavazos
Copy link

Hi is there a way to make "ALBSecurityGroup.GroupId" optional? In my situation, 'securityGroupIdList' will always contain at least one SG, but my ALBSecurityGroup.GroupId might be empty in some cases. Is there a way to make that work?
Thank You in advance!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment