Security Group and Subnet Belongs to different networks
If anyone using Terraform got here, I had a similar error message and what ended up happening was the following:
variable "name" {}
locals {
vpc_id = "..."
subnet_id = "..."
}
resource "aws_instance" "web" {
ami = "ami-09def150731bdbcc2"
instance_type = "t3.micro"
vpc_security_group_ids = ["${aws_security_group.allow_http.id}"]
user_data = <<-EOF
#!/bin/bash
sudo amazon-linux-extras install nginx1.12 -y
sudo nginx
EOF
tags {
Name = "${var.name}"
}
}
resource "aws_security_group" "allow_http" {
description = "Allow inbound HTTP traffic for ${var.name} instance"
vpc_id = "${local.vpc_id}"
ingress {
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
The subnet I was deploying into didn't have auto assign public IPs enabled. As such, I updated the aws_instance to include the subnet_id and associate_public_ip_address:
resource "aws_instance" "web" {
ami = "ami-09def150731bdbcc2"
instance_type = "t3.micro"
subnet_id = "${local.subnet_id}"
vpc_security_group_ids = ["${aws_security_group.allow_http.id}"]
associate_public_ip_address = true
user_data = <<-EOF
#!/bin/bash
sudo amazon-linux-extras install nginx1.12 -y
sudo nginx
EOF
tags {
Name = "${var.name}"
}
}
After which, everything worked.
I got the above problem resolved by the pointers provided in comments, The relation between subnet VPC, Security-Groups and EC2 instance are as below -
1st thing which gets and should be created is VPC
2nd is the Subnet here you mention the VpcId you created earlier
3rd You create security groups here you mention the VpcId you created earlier as well.
4th There is a property NetworkInterfaces where you provide SubnetId and GroupSet which is an array of security group ids and this is where you define the relation between the security group, vpc and subnet and this is what solved the problem.
Below is the sample template which actually worked -
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"DevServerKeyPair": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "Must be the name of an existing EC2 KeyPair."
}
},
"Resources": {
"DevVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "172.31.0.0/16",
"EnableDnsSupport": "false",
"EnableDnsHostnames": "false",
"InstanceTenancy": "dedicated",
"Tags": [
{
"Key": "Name",
"Value": "DevStackVpc"
}
]
}
},
"DevSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "DevVpc"
},
"CidrBlock": "172.31.0.0/16",
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
}
}
},
"WebApplicationServerSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "DevVpc"
},
"GroupDescription": "Enable HTTP, HTTPS and SSH access",
"Tags": [
{
"Key": "Name",
"Value": "WebApplicationServer Service Group"
}
],
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
}
},
"WebApplicationServer": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-f3e5aa9c",
"InstanceType": "t2.micro",
"Tags": [
{
"Key": "Name",
"Value": "WebApplicationServer"
}
],
"KeyName": {
"Ref": "DevServerKeyPair"
},
"NetworkInterfaces": [
{
"SubnetId": {"Ref": "DevSubnet"},
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"GroupSet": [{ "Ref" : "WebApplicationServerSG" }]
}
]
}
}
}
}
Hope it helps someone looking into similar problem.