Open ex-nerd opened 8 years ago
Is the behavior you're talking about discussed anywhere in the docs? The reason this fails now is because troposphere, traditionally, has tried to stick to what is defined in the docs - and the docs for the SecurityGroupRule property says that ToPort/FromPort are required. (http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-rule.html)
We run into these undocumented 'features' occasionally, and haven't found a good answer to it.
It's not discussed in these docs beyond the example I referenced. However, the properties are marked as optional in the ec2 API docs:
I also haven't been able to find any reference for the default behavior of "if you don't specify a rule, we assume you mean allow all traffic".
All of the AWS Documentation links you guys referenced so far state that ToPort and FromPort are optional. I guess they updated the doc since this discussion started?
@muikrad That does indeed appear to be the case now. Previously, the page linked to by @phobologic had them listed as required.
Troposphere is disallowing my ec2.SecurityGroupRule because it doesn't have a valid
FromPort
orToPort
.Cloudformation automatically adds an "all" rule to ingress/egress definitions that are left blank, so if you want to specifically create a rule that disallows access you create a rule against localhost with an IpProtocol of
-1
and no to/from port info.Despite what the http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-rule.html docs say,
FromPort
andToPort
are not required when usingIpProtocol=-1
from a VPC.See this example taken from http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#d0e39862 :