- Can you use OS::Neutron::Firewall instead of AWS::EC2::SecurityGroup? In general we expect users to use either the native Neutron resources (recommended), or the AWS-compatible VPC resources if portability when CFN is a concern
Edit:
Yes, OS::Neutron::Firewall provides perimeter firewall functionality, but I was thinking it could possibly solve your use-case as follows (disclaimer, I'm not a Neutron expert):
Modify the default security group for the project/tenant to allow the traffic required
Connect all instances to a Neutron subnet, which routes via a Neutron router to your external network
Configure the Neutron FWaaS on the router via OS::Neutron::Firewall to enforce the rules required outside the private subnet between instances/stacks
If you define the VpcId property of the AWS::EC2::SecurityGroup, Ref returns the security group ID, not name, does this solve your problem?
Edit: Re VpcId, you could use AWS::EC2::VPC to create the network/router and pass that into the security group, but just setting the VpcId property to AWS::EC2::SecurityGroup makes it use the neutron security group API instead of the nova one, which is probably what you want in this case.
I agree, it's not a clean interface - what we probably need is a heat-native OS::Neutron::SecurityGroup resource.