Terraform-provider-aws: Unable to create instance within non-default VPC using vpc_security_group_ids

Created on 23 Jul 2018  ·  8Comments  ·  Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @sujoy-chatterjee as hashicorp/terraform#18520. It was migrated here as a result of the provider split. The original body of the issue is below._

Terraform Version

Terraform v0.11.7 + provider.aws v1.27.0

Terraform Configuration Files

provider "aws" {
access_key = "blank"
secret_key = "blank"
region = "us-east-1"
}

resource "aws_security_group" "my_security_group" {
name = "my_security_group"
description = "allow ssh access and mongo datasource access"
vpc_id = "${aws_vpc.my_vpc.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

ingress {
from_port = 27017
to_port = 27017
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags {
Name = "my_security_group"
}
}

resource "aws_vpc" "my_vpc" {
cidr_block = "172.32.0.0/16"
tags {
Name = "my_vpc"
}
}

resource "aws_subnet" "my_subnetA" {
vpc_id = "${aws_vpc.my_vpc.id}"
cidr_block = "172.32.4.0/16"
map_public_ip_on_launch = "true"

tags {
Name = "my_subnetA"
}
}

resource "aws_eip" "lb" {
instance = "${aws_instance.my_instance.id}"
vpc = true
}

resource "aws_instance" "my_instance" {
ami = "ami-cfe4b2b0"
instance_type = "t2.micro"
associate_public_ip_address = true
security_groups = ["my_security_group"]
key_name = "MY-KEY"
vpc_security_group_ids = ["${aws_security_group.my_security_group.id}"]
subnet_id = "${aws_subnet.my_subnetA.id}"

tags {
Name = "my_instance"
}
}

output "ip" {
value = "${aws_instance.my_instance.public_ip}"
}

Debug Output

Terraform will perform the following actions:

~ aws_eip.lb
instance: "" => "${aws_instance.my_instance.id}"

  • aws_instance.mongo
    id:
    ami: "ami-cfe4b2b0"
    associate_public_ip_address: "true"
    availability_zone:
    ebs_block_device.#:
    ephemeral_block_device.#:
    get_password_data: "false"
    instance_state:
    instance_type: "t2.micro"
    ipv6_address_count:
    ipv6_addresses.#:
    key_name: "MY-KEY"
    network_interface.#:
    network_interface_id:
    password_data:
    placement_group:
    primary_network_interface_id:
    private_dns:
    private_ip:
    public_dns:
    public_ip:
    root_block_device.#:
    security_groups.#: "1"
    security_groups.2590324136: "my_security_group"
    source_dest_check: "true"
    subnet_id: "${aws_subnet.my_subnetA.id}"
    tags.%: "1"
    tags.Name: "my_instance"
    tenancy:
    volume_tags.%:
    vpc_security_group_ids.#: "1"
    vpc_security_group_ids.2159422822: "sg-ce881f84"

-/+ aws_subnet.mongo_subnetA (new resource required)
id: "subnet-59f78356" => (forces new resource)
assign_ipv6_address_on_creation: "false" => "false"
availability_zone: "us-east-1f" =>
cidr_block: "172.32.0.0/16" => "172.32.4.0/16" (forces new resource)
ipv6_cidr_block: "" =>
ipv6_cidr_block_association_id: "" =>
map_public_ip_on_launch: "true" => "true"
tags.%: "1" => "1"
tags.Name: "my_subnetA" => "my_subnetA"
vpc_id: "vpc-7ef73604" => "vpc-7ef73604"

Error: Error applying plan:

1 error(s) occurred:

  • aws_instance.mongo: 1 error(s) occurred:

  • aws_instance.mongo: Error launching source instance: InvalidGroup.NotFound: The security group 'my_security_group' does not exist in VPC 'vpc-7ef73604'
    status code: 400, request id: 49d26a4b-8f88-4b7e-b3d9-730831eccb58

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Expected Behavior


The instance should have been created in the newly created VPC with my new security group (my_security_group) rules within my defined subnet.

Error: Error applying plan:

1 error(s) occurred:

  • aws_instance.mongo: 1 error(s) occurred:

  • aws_instance.mongo: Error launching source instance: InvalidGroup.NotFound: The security group 'my_security_group' does not exist in VPC 'vpc-7ef73604' <-- This is the id of the newly created VPC
    status code: 400, request id: 49d26a4b-8f88-4b7e-b3d9-730831eccb58

    Steps to Reproduce

Additional Context


None

References

Similar issues in github are:

Unable to create instance with VPC using vpc_security_group_ids hashicorp/terraform#5486

resource/aws_instance: vpc_security_group_ids always showing update hashicorp/terraform#1993
(For 1993, I am using the non-default VPC with non-default subnet and using vpc_security_group_ids but it still does not work.

bug servicec2
Source
picture hashibot[bot]

Most helpful comment

@bflad I'm hitting this same issue but I'm using vpc_security_group_ids.

My code is here:
https://gist.github.com/qnordic/d431c7a5486ebe3479829ba76caee61d

picture qnordic on 29 Nov 2018
👍2

All 8 comments

Hi @sujoy-chatterjee 👋 , sorry you are running into trouble here.

I noticed in your configuration above these two conflicting arguments within the aws_instance resource configuration:

security_groups = ["my_security_group"]
...
vpc_security_group_ids = ["${aws_security_group.my_security_group.id}"]

The security_groups argument should only need to be declared when you're working with EC2-Classic and potentially the default VPC. As it appears you are working with a non-default VPC, you should probably remove the security_groups argument.

I am not sure if its an oversight or if there is some reasoning why the resource does not have the two attributes marked so only one of them can be defined at a time (ConflictsWith in the schema).

Can you please confirm if removing security_groups solves your issue? Thanks.

bflad picture bflad on 23 Jul 2018

Hi Brian,

Thanks for getting back to me so promptly.

I can surely remove those config line items and I think it will work. However, what will not work is the instance being a part of the newly created security group.

The instance still points to the default security group which does not have all the rules which I have setup in my new security group. The new security group is purposeful and intentional as well.

Any help in this case will be appreciated.

Many thanks.

Kind regards,

Suj

sujoy-chatterjee picture sujoy-chatterjee on 24 Jul 2018

@sujoy-chatterjee you only need to remove security_groups. You can leave vpc_security_group_ids with its custom security group. It should only have the custom security group when applied.

bflad picture bflad on 25 Jul 2018

@sujoy-chatterjee did adjusting your configuration to remove security_groups resolve this issue?

bflad picture bflad on 25 Sep 2018

Closing due to lack of response.

bflad picture bflad on 9 Oct 2018

@bflad I'm hitting this same issue but I'm using vpc_security_group_ids.

My code is here:
https://gist.github.com/qnordic/d431c7a5486ebe3479829ba76caee61d

qnordic picture qnordic on 29 Nov 2018
👍2

@qnordic in my case this error was due to missing 'subnet_id' in the 'aws_instance' resource settings

konrad-pawlak picture konrad-pawlak on 1 Oct 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 1 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  ·  45Comments
marcincuber picture marcincuber  ·  39Comments
hashibot picture hashibot  ·  58Comments
charles-at-geospock picture charles-at-geospock  ·  44Comments
jsi-p picture jsi-p  ·  33Comments