I'd like to create a CloudFormation template that creates a security group resource that allows ingress from a variable list of other security groups. The template would take a parameter of type List<AWS::EC2::SecurityGroup::Id>. I'll name this parameter SourceSecurityGroupIds for this example. Then, it would create a security group resource using something like:

{
    "LogServerSecurityGroup": {
        "Type": "AWS::EC2::SecurityGroup",
        "Properties": {
            "GroupDescription": "XYZ security group",
            "VpcId": "vpc-abcxyz",
            "SecurityGroupIngress": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": 1234,
                    "ToPort": 1234,
                    "SourceSecurityGroupId": { "Ref": "SourceSecurityGroupIds" }
                }
            ]
        }
    }
}

Of course, the SourceSecurityGroupId property of SecurityGroupIngress doesn't take a list. Is there a way to make this work?

Update - Feb 27, 2019

In retrospect, the correct way to do this is to create a LogSourceSecurityGroup, and allow ingress only from that security group. Then, add that security group to any EC2 instance, etc that should be able to communicate with the log server.

I know it's late so you already figure it out, but I just run into this same issue and I was able to fix it. You need to create a "Security Group Ingress" resource that will add the rule to an existing security group, so it would be like:

{
    "LogServerSecurityGroup": {
        "Type": "AWS::EC2::SecurityGroup",
        "Properties": {
            "GroupDescription": "XYZ security group",
            "VpcId": "vpc-abcxyz"
        }
    },
    "LogServerSecyrituGroupIngress" : {
        "Type" : "AWS::EC2::SecurityGroupIngress",
        "Properties" : { 
            "GroupId" : {"Ref" : "LogServerSecurityGroup"},
            "IpProtocol" : "tcp",
            "FromPort" : "1234",
            "ToPort" : "1234",
            "SourceSecurityGroupId" : {"Ref" : "SourceSecurityGroupIds"}
        }

   }
}

You can find more information here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html#cfn-ec2-security-group-ingress-groupid

SecurityGroupIngress parameter above is an array/list. So, define multiple ingress rules there.

e.g:

  "SecurityGroupIngress": [
    {
      "IpProtocol": "tcp",
      "FromPort": 1234,
      "ToPort": 1234,
      "SourceSecurityGroupId": "SG-12345"
    },
    {
      "IpProtocol": "tcp",
      "FromPort": 1234,
      "ToPort": 1234,
      "SourceSecurityGroupId": "SG-abcde"
    },
    {
      "IpProtocol": "tcp",
      "FromPort": 1234,
      "ToPort": 1234,
      "SourceSecurityGroupId": "SG-54321"
    }
  ]