0

Below is a sample of how our team creates new EC2 instances using CloudFormation with AWS. I'm just getting started myself with AWS, but one problem I have is when I need to create a new Security Group for an EC2 instance that has been created using CloudFormation, I'm being told I can't associate it with the EC2 in code and I have to create the security group in code then go into the console and associate it there. If I try to associate it in code it will recreate the EC2 instance? Is what I'm being told correct? Is there a way I can create a new SG in code and link it to an EC2 instance without doing any damage to the existing EC2 image? Thank you.

Resources: SERVERLaunchTemplate: Type: 'AWS::EC2::LaunchTemplate' Properties: LaunchTemplateName: EC2GSSADBUR LaunchTemplateData: SecurityGroupIds: - !ImportValue windows-standard-sg - !ImportValue windows-standard2-sg IamInstanceProfile: Name: !ImportValue defaultInstanceProfile MetadataOptions: HttpPutResponseHopLimit: 2 HttpTokens: required Monitoring: Enabled: true SERVER01Alias: Type: AWS::KMS::Alias Properties: AliasName: alias/SERVER01 TargetKeyId: !Ref SERVER01KMS SERVER01KMS: Type: AWS::KMS::Key Properties: Enabled: true EnableKeyRotation: true KeyPolicy: Version: '2012-10-17' Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root Action: kms:* Resource: '*' SERVER01: Type: AWS::EC2::Instance Properties: ImageId: ami-0960ad9be9axxxxxx InstanceType: m5.xlarge KeyName: SERVER01-keypair UserData: !Base64 | Rename-Computer SERVER01 Restart-Computer BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeType: gp2 VolumeSize: 100 Encrypted: true KmsKeyId: !GetAtt SERVER01KMS.Arn - DeviceName: /dev/sdb Ebs: VolumeType: gp2 VolumeSize: 500 Encrypted: true KmsKeyId: !GetAtt SERVER01KMS.Arn SubnetId: subnet-08bba3360bxxxxxx PrivateIpAddress: x.x.x.66 Ipv6Addresses: - Ipv6Address: xx:xx:xx:xx:xx:xx:xx:66 PropagateTagsToVolumeOnCreation: "true" Tags: - Key: Name Value: SERVER01 LaunchTemplate: LaunchTemplateId: !Ref SERVERLaunchTemplate Version: !GetAtt SERVERLaunchTemplate.LatestVersionNumber
Improve this question

1 Answer 1

Reset to default
0

If something is created using infrastructure as code, you should maintain it using infrastructure as code. Adding a security group to an existing template, then deploying that template, should not change the EC2 instance.

The best way to ensure your change won't delete anything is to create a change set with CloudFormation. It will tell you what it's going to change, create, and delete. If you don't like what the change is going to do simply delete the change set. Be careful not to delete the whole stack like I did once, but I think AWS has moved the delete buttons since then.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.