为什么 Terraform 检测到子网的另一个 VPC 中的安全组?
Why does Terraform detect security group in another VPC to the subnet?
Terraform 计划工作正常,但是当 运行 terraform apply 我收到以下错误:
Security group sg-XXXXX and subnet subnet-Defaul1a belong to different
networks.
这是我要应用的 Terraform 代码:
variable "region" {
default = "eu-west-1"
}
variable "zones" {
type = "map"
default = {
"eu-west-1a" = "euw1-az2"
"eu-west-1b" = "euw1-az3"
"eu-west-1c" = "euw1-az1"
}
}
variable "default_kp" {
type = "string"
default = "ireland-dev-my_own_project-default-kp"
}
data "aws_ami" "ami_amazon" {
name_regex = "^amzn2-ami-hvm"
most_recent = true
owners = ["137112412989"]
filter {
name = "root-device-type"
values = ["ebs"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
filter {
name = "architecture"
values = ["x86_64"]
}
}
# VPC
resource "aws_vpc" "ireland-dev-my_own_project-main_vpc" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "ireland-dev-my_own_project-main_vpc"
environment = "dev"
application = "my_own_project-main"
}
}
# InternetGateway
resource "aws_internet_gateway" "ireland-dev-my_own_project-main_ig" {
vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
}
#Public Subnet's
resource "aws_subnet" "ireland-dev-my_own_project-sn-pub-1a" {
cidr_block = "10.0.10.0/24"
vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
availability_zone_id = "${var.zones.eu-west-1a}"
tags = {
Name = "ireland-dev-my_own_project-sn-pub-1a"
environment = "dev"
application = "my_own_project-main"
finality = "publishing"
}
}
# Route Table
resource "aws_route_table" "ireland-dev-my_own_project-main_route_table" {
vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.ireland-dev-my_own_project-main_ig.id}"
}
tags = {
Name = "ireland-dev-my_own_project-main_route_table"
environment = "dev"
application = "my_own_project-main"
finality = "publishing"
}
}
# Route Tables asotiation with Public Subnets
resource "aws_route_table_association" "ireland-dev-my_own_project-route_pub1a" {
route_table_id = "${aws_route_table.ireland-dev-my_own_project-main_route_table.id}"
subnet_id = "${aws_subnet.ireland-dev-my_own_project-sn-pub-1a.id}"
}
# Security Group's and Rules
resource "aws_security_group" "sg_local" {
vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
description = "IP Cristian Sacristan Home"
tags = {
Name = "ireland-dev-my_own_project-sg-cs_local"
env = "dev"
application = "my_own_project-main"
finality = "bastion"
}
}
resource "aws_security_group_rule" "sg-local-ssh-cs_home" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = "${aws_security_group.sg_local.id}"
cidr_blocks = ["8.8.8.8/32"] # MyIP
}
resource "aws_security_group" "sg_bastion" {
vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
description = "SG for bastion host"
tags = {
Name = "ireland-dev-my_own_project-sg-bastion"
env = "dev"
application = "my_own_project-main"
finality = "bastion"
}
}
# Instances
resource "aws_instance" "bastion" {
ami = "${data.aws_ami.ami_amazon.id}"
instance_type = "t2.micro"
availability_zone = "${aws_subnet.ireland-dev-my_own_project-sn-pub-1a.availability_zone}"
vpc_security_group_ids = ["${aws_security_group.sg_local.id}","${aws_security_group.sg_bastion.id}"]
key_name = "${var.default_kp}"
associate_public_ip_address = true
tags = {
Name = "ireland-dev-my_own_project-ec2ins-bastion"
env = "dev"
application = "my_own_project-main"
finality = "bastion"
}
}
完整的 apply 输出:
aws_vpc.ireland-dev-my_own_project-main_vpc: Creating...
aws_vpc.ireland-dev-my_own_project-main_vpc: Creation complete after 3s [id=vpc-AAAAAAAAAAAAA]
aws_internet_gateway.ireland-dev-my_own_project-main_ig: Creating...
aws_subnet.ireland-dev-my_own_project-sn-pub-1a: Creating...
aws_security_group.sg_bastion: Creating...
aws_subnet.ireland-dev-my_own_project-sn-pub-1a: Creation complete after 1s [id=subnet-AAAAAAAAAAA]
aws_internet_gateway.ireland-dev-my_own_project-main_ig: Creation complete after 1s [id=igw-AAAAAAAAAA]
aws_route_table.ireland-dev-my_own_project-main_route_table: Creating...
aws_security_group.sg_local: Creation complete after 1s [id=sg-AAAAA]
aws_security_group_rule.sg-local-ssh-cs_home: Creating...
aws_security_group.sg_bastion: Creation complete after 1s [id=sg-AAAAAA]
aws_instance.bastion: Creating...
aws_route_table.ireland-dev-my_own_project-main_route_table: Creation complete after 1s [id=rtb-AAAAAAAA]
aws_route_table_association.ireland-dev-my_own_project-route_pub1a: Creating...
aws_security_group_rule.sg-local-ssh-cs_home: Creation complete after 1s [id=sgrule-AAAAA]
aws_route_table_association.ireland-dev-my_own_project-route_pub1a: Creation complete after 0s [id=rtbassoc-AAAA]
Error: Error launching source instance: InvalidParameter: Security group sg-AAAAAAAAAAAAA and subnet subnet-AA belong to different networks.
status code: 400, request id: 6AAAAAA-AA-AAAA-AAAA-AAAAAAA
on main.tf line 135, in resource "aws_instance" "bastion":
135: resource "aws_instance" "bastion" {
您应该指定您希望实例所在的子网而不是可用性区域。
因为您指定了 availability_zone 而不是 subnet_id,所以 Terraform 已尝试将实例放入与默认 VPC 中的 AZ 匹配的子网中,而不是您尝试放置它的 VPC .
不幸的是,这是一个问题,因为 EC2 API 允许 EC2 Classic(预 VPC)帐户使用每个区域的默认 VPC 处理未指定子网的默认情况。
Terraform 计划工作正常,但是当 运行 terraform apply 我收到以下错误:
Security group sg-XXXXX and subnet subnet-Defaul1a belong to different networks.
这是我要应用的 Terraform 代码:
variable "region" {
default = "eu-west-1"
}
variable "zones" {
type = "map"
default = {
"eu-west-1a" = "euw1-az2"
"eu-west-1b" = "euw1-az3"
"eu-west-1c" = "euw1-az1"
}
}
variable "default_kp" {
type = "string"
default = "ireland-dev-my_own_project-default-kp"
}
data "aws_ami" "ami_amazon" {
name_regex = "^amzn2-ami-hvm"
most_recent = true
owners = ["137112412989"]
filter {
name = "root-device-type"
values = ["ebs"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
filter {
name = "architecture"
values = ["x86_64"]
}
}
# VPC
resource "aws_vpc" "ireland-dev-my_own_project-main_vpc" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "ireland-dev-my_own_project-main_vpc"
environment = "dev"
application = "my_own_project-main"
}
}
# InternetGateway
resource "aws_internet_gateway" "ireland-dev-my_own_project-main_ig" {
vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
}
#Public Subnet's
resource "aws_subnet" "ireland-dev-my_own_project-sn-pub-1a" {
cidr_block = "10.0.10.0/24"
vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
availability_zone_id = "${var.zones.eu-west-1a}"
tags = {
Name = "ireland-dev-my_own_project-sn-pub-1a"
environment = "dev"
application = "my_own_project-main"
finality = "publishing"
}
}
# Route Table
resource "aws_route_table" "ireland-dev-my_own_project-main_route_table" {
vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.ireland-dev-my_own_project-main_ig.id}"
}
tags = {
Name = "ireland-dev-my_own_project-main_route_table"
environment = "dev"
application = "my_own_project-main"
finality = "publishing"
}
}
# Route Tables asotiation with Public Subnets
resource "aws_route_table_association" "ireland-dev-my_own_project-route_pub1a" {
route_table_id = "${aws_route_table.ireland-dev-my_own_project-main_route_table.id}"
subnet_id = "${aws_subnet.ireland-dev-my_own_project-sn-pub-1a.id}"
}
# Security Group's and Rules
resource "aws_security_group" "sg_local" {
vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
description = "IP Cristian Sacristan Home"
tags = {
Name = "ireland-dev-my_own_project-sg-cs_local"
env = "dev"
application = "my_own_project-main"
finality = "bastion"
}
}
resource "aws_security_group_rule" "sg-local-ssh-cs_home" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = "${aws_security_group.sg_local.id}"
cidr_blocks = ["8.8.8.8/32"] # MyIP
}
resource "aws_security_group" "sg_bastion" {
vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
description = "SG for bastion host"
tags = {
Name = "ireland-dev-my_own_project-sg-bastion"
env = "dev"
application = "my_own_project-main"
finality = "bastion"
}
}
# Instances
resource "aws_instance" "bastion" {
ami = "${data.aws_ami.ami_amazon.id}"
instance_type = "t2.micro"
availability_zone = "${aws_subnet.ireland-dev-my_own_project-sn-pub-1a.availability_zone}"
vpc_security_group_ids = ["${aws_security_group.sg_local.id}","${aws_security_group.sg_bastion.id}"]
key_name = "${var.default_kp}"
associate_public_ip_address = true
tags = {
Name = "ireland-dev-my_own_project-ec2ins-bastion"
env = "dev"
application = "my_own_project-main"
finality = "bastion"
}
}
完整的 apply 输出:
aws_vpc.ireland-dev-my_own_project-main_vpc: Creating...
aws_vpc.ireland-dev-my_own_project-main_vpc: Creation complete after 3s [id=vpc-AAAAAAAAAAAAA]
aws_internet_gateway.ireland-dev-my_own_project-main_ig: Creating...
aws_subnet.ireland-dev-my_own_project-sn-pub-1a: Creating...
aws_security_group.sg_bastion: Creating...
aws_subnet.ireland-dev-my_own_project-sn-pub-1a: Creation complete after 1s [id=subnet-AAAAAAAAAAA]
aws_internet_gateway.ireland-dev-my_own_project-main_ig: Creation complete after 1s [id=igw-AAAAAAAAAA]
aws_route_table.ireland-dev-my_own_project-main_route_table: Creating...
aws_security_group.sg_local: Creation complete after 1s [id=sg-AAAAA]
aws_security_group_rule.sg-local-ssh-cs_home: Creating...
aws_security_group.sg_bastion: Creation complete after 1s [id=sg-AAAAAA]
aws_instance.bastion: Creating...
aws_route_table.ireland-dev-my_own_project-main_route_table: Creation complete after 1s [id=rtb-AAAAAAAA]
aws_route_table_association.ireland-dev-my_own_project-route_pub1a: Creating...
aws_security_group_rule.sg-local-ssh-cs_home: Creation complete after 1s [id=sgrule-AAAAA]
aws_route_table_association.ireland-dev-my_own_project-route_pub1a: Creation complete after 0s [id=rtbassoc-AAAA]
Error: Error launching source instance: InvalidParameter: Security group sg-AAAAAAAAAAAAA and subnet subnet-AA belong to different networks.
status code: 400, request id: 6AAAAAA-AA-AAAA-AAAA-AAAAAAA
on main.tf line 135, in resource "aws_instance" "bastion":
135: resource "aws_instance" "bastion" {
您应该指定您希望实例所在的子网而不是可用性区域。
因为您指定了 availability_zone 而不是 subnet_id,所以 Terraform 已尝试将实例放入与默认 VPC 中的 AZ 匹配的子网中,而不是您尝试放置它的 VPC .
不幸的是,这是一个问题,因为 EC2 API 允许 EC2 Classic(预 VPC)帐户使用每个区域的默认 VPC 处理未指定子网的默认情况。