Question

I have a rather annoying issue which I am unable to resolve

The following cut down example works in which I am able to reference a parameter and assign the security groups to my instance via the SecurityGroupIds property:

"Parameters" : {
      "pDefaultSg" : {
        "Description" : "AWS2 VPC default security groups",
        "Type" : "List<AWS::EC2::SecurityGroup::Id>",
        "Default" : "sg-245xxxxx,sg-275xxxxx,sg-235xxxxx" 
      }
    }

    "Resources" : {
      "ec2Instance" : {
        "Type" : "AWS::EC2::Instance",
        "Properties" : {
        "SecurityGroupIds" : { "Ref" : "pDefaultSg" } 
      }
}

The issue begins when I also want to add a second value to the SecurityGroupIds property referencing a security group resource instantiated within the same template:

"Resources" : {
    "ec2Instance" : { ...
        "SecurityGroupIds" : [ { "Ref" : "pDefaultSg" }, { "Fn::GetAtt" : "sgDb", "GroupId" } ],
    ....  

    "sgDb" : {
        "Type" : "AWS::EC2::SecurityGroup",
        "Properties" : { ...

I am then unable to avoid the following error causing the Cloudformation stack to rollback:

Value of property SecurityGroupIds must be of type List of String

Answer 1

The issue is that when pDefaultSg is accessed via the Ref intrinsic function it returns a list, therefore your SecurityGroupIds Property looks like

[["sg-245xxxxx","sg-275xxxxx","sg-235xxxxx"],"sg-1234DB"]

The solution is to change your SecurityGroupIds Property to Fn::Join the pDefaultSg List to a comma separated string followed by the sgDb:

"SecurityGroupIds": [ 
  {"Fn::Join": 
    [",", 
      {"Ref": "pDefaultSg"}
    ]
  }, 
  { "Fn::GetAtt" : ["sgDb", "GroupId"] } 
]