Reference SecurityGroup from another cloudformation template inside VPC

Question

I have a VPC (created via cloudformation) which creates some common shared infrastructure for all stacks created in that VPC, e.g. ssh jumphost and a security group for the ssh jumphost.

I have a separate cloudformation template to create stacks of Web+App+DB inside the existing VPC.

How do I allow inbound ssh 22 to my instances in my stack template from the common ssh jumphost defined in the first template?

According to the docs, inside a VPC I need to specify SourceSecurityGroupId, which must have either the actual VPC ID or use a Ref function to find the ID of a Security Group defined in this template.

How can I reference an existing SG inside the same VPC but from another template?

EDIT:

Same question for outbound via a NAT instance. NAT instance is provided at VPC level, but each stack needs its security group to allow outbound access to just the NAT Instance.

Answer 1

Update: This has changed since my original answer. See also the answer below by Vor that suggests using custom resources and Lambda to allow cross-stack references.

Original Answer

There is no support to refer to resources from another stack so you cannot use Ref(). You can use SourceSecurityGroupId (as you suggested) and pass it as a parameter, and/or you can use SourceSecurityGroupName. But Cloudformation can't programmatically refer to the other stack.

I like to write Cloudformation templates using Python, boto and the troposphere library to work around problems like this in code.