How do I add a cloudformation security group ingress rule that refers to another security group?

Question

I have the following security group in a yaml template. I'd like to have the "SecurityGroupApplication" security group allow incoming connections from the "SecurityGroupBastion". However, the validate-template function of the aws client is telling me unhelpful information like "unsupported structure". Ok, but what is wrong with the structure? Ideas?

Resources:
  SecurityGroupBastion:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Bastion security group
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          IpProtocol: tcp
          FromPort: 22
          ToPort: 22
      VpcId: !Ref vpcId
  SecurityGroupApplication:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Application security group
      SecurityGroupIngress:
        - SourceSecurityGroupId: !Ref SecurityGroupBastion
          IpProtocol: tcp

Answer 1

If you want SecurityGroupApplication to be a Security Group, then you should use Type: AWS::EC2::SecurityGroup instead of Type: AWS::EC2::SecurityGroupIngress. That is probably the cause of the "unsupported structure" error you are seeing.

Answer 2

Just if someone falls into this old question, now, there is a way to reference cross account SG in cloudformation, so if you want to add an SG ingress rule pointing to another AWS account just add the key SourceSecurityGroupOwnerId and the account ID.

i.e.

AWSTemplateFormatVersion: 2010-09-09
Resources:
  TargetSG:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      VpcId: vpc-1a2b3c4d
      GroupDescription: Security group allowing ingress for security scanners
  InboundRule:
    Type: 'AWS::EC2::SecurityGroupIngress'
    Properties:
      GroupId: !GetAtt TargetSG.GroupId
      IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      SourceSecurityGroupId: sg-12345678 # SG in the other AWS account
      SourceSecurityGroupOwnerId: '123456789012' # Account ID