Inheriting a Security Group From Itself

Question

I have multiple EC2 instances in a security group and I want to ensure that all other EC2 instances can access any of the other in the same Security Group.

If I try do this, I get a circular reference error:

    "XYZSecurityGroup": {
  "Type": "AWS::EC2::SecurityGroup",
  "Properties": {
    "VpcId": {
      "Fn::ImportValue": {
        "Fn::Sub": "${NetworkStackName}-VPCID"
      }
    },
    "SecurityGroupIngress": [
      {
        "IpProtocol": "tcp",
        "FromPort": "80",
        "ToPort": "80"
      },
      {
        "IpProtocol": "tcp",
        "FromPort": "27017",
        "ToPort": "27017",
        "SourceSecurityGroupId": {"Ref": "XYZSecurityGroup"}
      }

Creating a separate SecurityGroupIngress element seems to overwrite my existing settings. So how can I enable all instances in the same security group to see each other? I also want this Security Group to accept traffic from another security group.

Answer 1

As noted in the AWS::EC2::SecurityGroup documentation, you can use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define self-referencing security group rules:

Important

If you want to cross-reference two security groups in the ingress and egress rules of those security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use the embedded ingress and egress rules in the AWS::EC2::SecurityGroup. If you do, it causes a circular dependency, which AWS CloudFormation doesn't allow.