Is it possible to solve this circular dependency in AWS CloudFormation?

Question

I have a circular dependency problem. I'm trying to create security group for an autoscaling group that allows traffic to an RDS MySQL DB instance. Similarly I want to create a security group for the RDS instance that allows traffic from the autoscaling group but they both depend on each other. What might be the best way to solve it?

  AutoscalingSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Security group for autoscaling
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !Ref RDSSecurityGroup
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !Ref RDSSecurityGroup

  RDSSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Security group for RDS instance
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !Ref AutoscalingSecurityGroup
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !Ref AutoscalingSecurityGroup

Any ideas of how I'd solve it? TIA

Answer 1

The previous answer has GroupId & Source/DestinationSecurityGroupId mixed up. I also think the security group rules can be simplified. Security groups are stateful and thus the return traffic is allowed by default. So, the above rules can be simplified as per below.

AutoscalingSecurityGroup:
  Type: 'AWS::EC2::SecurityGroup'
  Properties:
    GroupDescription: Security group for autoscaling
    VpcId: !Ref VPC

RDSSecurityGroup:
  Type: 'AWS::EC2::SecurityGroup'
  Properties:
    GroupDescription: Security group for RDS instance
    VpcId: !Ref VPC

RDSSecurityGroupIngress:
  Type: AWS::EC2::SecurityGroupIngress
  Properties:
    GroupId: !Ref RDSSecurityGroup
    IpProtocol: tcp
    FromPort: 3306
    ToPort: 3306
    SourceSecurityGroupId: !Ref AutoscalingSecurityGroup  

AutoscalingSecurityGroupEgress:
  Type: AWS::EC2::SecurityGroupEgress
  Properties:
    GroupId: !Ref AutoscalingSecurityGroup
    IpProtocol: tcp
    FromPort: 3306
    ToPort: 3306
    DestinationSecurityGroupId: !Ref RDSSecurityGroup 

Alternatively, it can be further simplified as following.

AutoscalingSecurityGroup:
  Type: 'AWS::EC2::SecurityGroup'
  Properties:
    GroupDescription: Security group for autoscaling
    VpcId: !Ref VPC
    SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 3306
        ToPort: 3306
        SourceSecurityGroupId: !Ref RDSSecurityGroup

RDSSecurityGroup:
   Type: 'AWS::EC2::SecurityGroup'
   Properties:
     GroupDescription: Security group for RDS instance
     VpcId: !Ref VPC

RDSSecurityGroupIngress:
  Type: AWS::EC2::SecurityGroupIngress
  Properties:
    GroupId: !Ref RDSSecurityGroup
    IpProtocol: tcp
    FromPort: 3306
    ToPort: 3306
    SourceSecurityGroupId: !Ref AutoscalingSecurityGroup