The parameter groupName cannot be used with the parameter subnet

Lately I’ve been getting “The parameter groupName cannot be used with the parameter subnet “ when trying to cloudform an EC2 instance.

my template does not have a parameter called groupName in it!?!

On the net I’ve found:

which sort of says that there is a bug in boto!?  I’m not using boto however, but apparently the fix was:

“The part that makes the request invalid is that there is an underscore in the security group: sg_123123 instead of sg-123123. ”

My securitygroup names don’t have underscores in them.  Back to the drawing board I went.

I tried removing the Subnet declartion in the parameters.  No go.

I tried making SecurityGroups = SecurityGroupIDs instead. No go.

I note :

With the answer being:

This is due to how a security group is associated with an instance.

Without a subnet it is OK to associate it using the security group’s name:

<code>resource "aws_instance" "server" {
  security_groups = [ "${}" ]

But if a subnet is also associated you cannot use the name, but should use the security group’s ID:

<code>security_groups = [ "${}" ]
subnet_id = "${}"

Assuming you’ve created a security group name group_name, and a subnet named subnet_name

My template was:

“SubnetId”: { “Ref”: “Subnet1” },
“SecurityGroups” : [ {“Ref” : “ManagementServerSecurityGroup”} ]

As before, even changing SecurityGroups to SecurityGroupID wasn’t a resolution so something else was wrong as I’ve not directly referred to any .name or .id :\

SubnetID is defined as a parameter to input off the template:

        “Subnet1”: {
“Description”: “Subnet For MGMT1”,
“Type”: “AWS::EC2::Subnet::Id”

while the Security group is being created fresh:

        “ManagementServerSecurityGroup” : {
“Type” : “AWS::EC2::SecurityGroup”,
“Properties” : {
“GroupDescription” : “Enable HTTP and RDP”,
“SecurityGroupIngress” : [
{“IpProtocol” : “tcp”, “FromPort” : “3389”, “ToPort” : “3389”, “CidrIp” : “”}

so somewhere in here lies the issue.  if both need to be defined as IDs when using the subnet and the security group together well it looks like my subnet declaration is an ID. so thats good. using SecurityGroupIds was probably the best idea.

Amazon reference documentation states:


Valid only for Amazon EC2 security groups. A list that contains the Amazon EC2 security groups to assign to the Amazon EC2 instance. The list can contain both the name of existing Amazon EC2 security groups or references to AWS::EC2::SecurityGroup resources created in the template.

Required: No

Type: List of strings

Update requires: Replacement.

So surely using:

“SubnetId”: { “Ref”: “Subnet1” },

“SecurityGroupIds” : [ {“Ref” : “ManagementServerSecurityGroup”} ]

would work? Negative.

Further searching yeilds this :

Similar issue to me.

Decided to move the security group BEFORE the subnet and removing the []’ from it..  Bad idea. got error : “Value of property SecurityGroupIds must be of type List of String”. Fixed that but it is still failing.


Ok so I ditched the creation of the security group and made it list the security groups in the cloud template parameters as the SG I really want should already be created.  this actually worked. sigh.



Leave a Reply