How to fix / why are Conditions causing Unresolved resource dependencies

Edit

Original details below.

In the process of chasing this down, I've now narrowed it down to the fact that this security group

  DatabaseSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Condition: WantsMail
    Properties:
      GroupDescription: Security group for RDS Databases
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !Ref MailSecurityGroup
      VpcId:
        !Ref Vpc

is not being created, even though WantsMail is evaluating as true. I know WantsMail is evaluating as true because I changed the Outputs section:

Outputs:
...
  DatabaseSecurityGroup:
    Condition: WantsMail
    Description: Security group for RDS database access
    Value: Foo
    Export:
      Name: FooName

Not only does that get output correctly, but the MailSecurityGroup (which also is conditional on WantsMail) gets created. However, this security group does not. Nothing showing any YAML errors. No errors that I can find in the AWS CloudFormation UI. Any ideas either on what's wrong, or how to track down whatever error might be occurring?

Aside: Is this sort of edit the right thing to do here? Or should I have killed the original question and asked this more specific one, or ... ?

Original Details

I'm working on breaking my CloudFormation templates into functional stacks. Not yet to the point of doing any nesting, just doing everything self contained. For my security-groups template, I have something very simple working, but when I start to add conditions, I start getting an "Unresolved resource dependencies ... in the Outputs block of the template". I don't think there are any typos, and that along with things having to do with nesting seem to be the most common problems I've seen in other questions similar to this.

The basic, working template looks like this:

---
AWSTemplateFormatVersion: 2010-09-09

Description: 'Create Security Groups'

Metadata:

  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: AWS Parameters
      Parameters:
        - SshAccessCidr
        - Vpc
    ParameterLabels:
      SshAccessCidr:
        default: SSH Access From
      Vpc:
        default: Vpc Id

Parameters:

  SshAccessCidr:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    Description: The CIDR IP range that is permitted to SSH to bastion instance. Note - a value of 0.0.0.0/0 will allow access from ANY IP address.
    Type: String
    Default: 0.0.0.0/0
  Vpc:
    AllowedPattern: ^(vpc-)([a-z0-9]{8}|[a-z0-9]{17})$
    Description: The Vpc Id of an existing Vpc.
    Type: AWS::EC2::VPC::Id

Resources:

  BastionSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for Bastion instances
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: !Ref SshAccessCidr
      VpcId:
        !Ref Vpc

  DatabaseSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for RDS Databases
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          CidrIp: 10.0.0.0/20
      VpcId:
        !Ref Vpc

Outputs:
  BastionSecurityGroup:
    Value: !Ref BastionSecurityGroup
    Export:
      Name: !Join [ ":", [ !Ref "AWS::StackName", BastionSecurityGroup ] ]
  DatabaseSecurityGroup:
    Value: !Ref DatabaseSecurityGroup
    Export:
      Name: !Join [ ":", [ !Ref "AWS::StackName", DatabaseSecurityGroup ] ]

and like I said, works great!

But, when I start to add conditions, it runs amok:

  AWS::CloudFormation::Interface:
    ParameterGroups:
...
    - Label:
        default: Optional security groups to create
      Parameters:
        - CreateMailSecGroup
    ParameterLabels:
...
      CreateMailSecGroup:
        default: Create a security group for mail servers

Parameters:
...
  CreateMailSecGroup:
    AllowedValues:
      - 'True'
      - 'False'
    Default: 'False'
    Description: Create a security group for use by mail servers
    Type: String

Conditions:

  WantsMail: !Equals ['True', !Ref CreateMailSecGroup]
  WantsNothing: !Not [ !Equals ['True', !Ref CreateMailSecGroup] ]

Resources:

  DatabaseSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Condition: WantsMail
    Properties:
      GroupDescription: Security group for RDS Databases
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !Ref MailSecurityGroup
      VpcId:
        !Ref Vpc

  DatabaseSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Condition: WantsNothing
    Properties:
      GroupDescription: Security group for RDS Databases
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          CidrIp: 10.0.0.0/20
      VpcId:
        !Ref Vpc

  MailSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Condition: WantsMail
    Properties:
      GroupDescription: Security group for MX Servers
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          SourceSecurityGroupId: !Ref BastionSecurityGroup
        - IpProtocol: tcp
          FromPort: 25
          ToPort: 25
          CidrIp: 0.0.0.0/0
...
      VpcId:
        !Ref Vpc

Outputs:
...
  DatabaseSecurityGroup:
    Description: Security group for RDS database access
    Value: !Ref DatabaseSecurityGroup
    Export:
      Name: !Join [ ":", [ !Ref "AWS::StackName", DatabaseSecurityGroup ] ]
  MailSecurityGroup:
    Condition: WantsMail
    Description: Security group for MX servers
    Value: !Ref MailSecurityGroup
    Export:
      Name: !Join [ ":", [ !Ref "AWS::StackName", MailSecurityGroup ] ]

Now, if I make those changes, and do a update stack on the current (functioning) stack, and leave the new parameter CreateMailSecGroup at its default value of False, it does the right thing and says "nothing to change" after parsing the template. But if I change it to True, it complains with

Unresolved resource dependencies [DatabaseSecurityGroup] in the Outputs block of the template

in the change set preview.

My initial suspicion was that, now that the DatabaseSecurityGroup is conditional, it must want a matching condition in the Outputs block, so I tried

Conditions:

  WantsMail: !Equals ['True', !Ref CreateMailSecGroup]
  WantsNothing: !Not [ !Equals ['True', !Ref CreateMailSecGroup] ]
  OutputDatabase: !Or [ Condition: WantsMail, Condition: WantsNothing ]
...
Outputs:
  DatabaseSecurityGroup:
    Condition: OutputDatabase
    Description: Security group for RDS database access
    Value: !Ref DatabaseSecurityGroup
    Export:
      Name: !Join [ ":", [ !Ref "AWS::StackName", DatabaseSecurityGroup ] ]

No dice. Same error.

My last guess was that maybe the DatabaseSecurityGroup wasn't actually getting processed with the True condition because of some weird ordering phenomenon, so I tried adding DependsOn: MailSecurityGroup, but that didn't fix it either.

I'm really hoping this isn't a silly typo. Anyone have any ideas what I'm doing wrong? The condition stuff for the MailSecurityGroup doesn't seem to be throwing any errors, but I'm not sure if that's because there isn't an error, or because it got stopped at the outputs section of the DatabaseSecurityGroup and never got to the final one.

Thanks!