I'm trying to reference a security group inside a CloudFormation template.
the name of the group is !Sub '${EnvironmentName}-SG-Private, where EnvironmentName is a template parameter.
However, the DBInstance AWS type requires the GroupId of the security group, not the group name. So I'm trying to use GetAtt to retrieve it, but without any luck:
Fn::GetAtt: [$(Fn::Sub:[${EnvironmentName}-SG-Private]), GroupId]
This and various other permutations all caused errors.
Reading the docs, it says
For the Fn::GetAtt logical resource name, you cannot use functions. You must specify a string that is a resource's logical ID.
If I've read that right, the problem cannot be solved the way I'm trying to do so. So how am I supposed to reference this security group? Do I need to export its GroupId at group creation time?
Fn::GetAtt intrinsic function returns the value of an attribute from a resource in the template. For more information about GetAtt return values for a particular resource, refer to the documentation for that resource.
You can only use
Fn::GetAttwith resources in the same template. Hence you can’t use it on names derived from template parameters.If you need the
GroupIdyou can export it from the template that creates the Security Group andFn::ImportValueit in the template that needs it.For more info see CloudFormation Export / ImportValue
Hope that helps :)