How can I create a security group if none is specified in a parameter in a cloudformation script?

Question

I have a parameter for security group:

"Parameters" : {
 "SecurityGroup" : {
   "Description" : "Name of an existing EC2 Security Group ",
   "Type" : "String",
   "Default" : "default", 
   "MinLength": "1",
   "MaxLength": "64",
   "AllowedPattern" : "[-_ a-zA-Z0-9]*",
   "ConstraintDescription" : "can contain only alphanumeric characters, spaces, dashes and underscores."
  },
},

But rather than use the default, if no parameter is specified I'd like to create one. Is this possible?

Answer 1

These were likely added after this question was asked, but for anyone that comes across this now, this can be done with Conditions in CloudFormation.

So if we start with your Parameters declaration

"Parameters" : {
 "SecurityGroup" : {
   "Description" : "Name of an existing EC2 Security Group ",
   "Type" : "String",
   "Default" : "default", 
   "MinLength": "1",
   "MaxLength": "64",
   "AllowedPattern" : "[-_ a-zA-Z0-9]*",
   "ConstraintDescription" : "can contain only alphanumeric characters, spaces, dashes and underscores."
  },
},

We could add a Conditions declaration, with a condition ShouldCreateSecurityGroup

"Conditions" : {
  "ShouldCreateSecurityGroup" : {"Fn::Equals" : [{"Ref" : "SecurityGroup"}, "default"]}
},

This condition can now be used to tell CloudFormation whether to create a security group:

"Resources": {
  "NewSecurityGroup": {
    "Type" : "AWS::EC2::SecurityGroup",
    "Condition" : "ShouldCreateSecurityGroup" 
    "Properties" : {
       "SecurityGroupEgress" : [ Security Group Rule, ... ],
       "SecurityGroupIngress" : [ Security Group Rule, ... ],
    }
  }
}

Then when you go to reference the value in this, you can use the Fn::If Conditional function to say whether you want to use the value from the SecurityGroup parameter or the NewSecurityGroup Resource. For example, for passing the value into the SecurityGroups parameter of an EC2 instance, we could use {"Fn::If} like:

"Server": {
  {
    "Type" : "AWS::EC2::Instance",
    "Properties" : {
        ...
      "SecurityGroups" : [ {"Fn::If": ["ShouldCreateSecurityGroup", {"Ref": "NewSecurityGroup"}, {"Ref": "SecurityGroup"}]} ],
    }
  }
}

Answer 2

No - Cloud Formation is a declarative language, so there's no "if/else" unfortunately.

You can't even do it by creating your own one and then passing in a "Ref" to the parameters as the parameter part is parsed and evaluated prior to script execution.

You could possibly do something with nested cloud formation script, but I haven't played with that enough to work out whether it's possible. So for me - you'd have one script, that takes a parameter. If the parameter is supplied, it passes that directly through to the second cloud formation, but if it isn't supplied, the first cloud formation is executed and returns the name of a newly created security group, and that is passed into the second cloud formation.