An argument named "vpc_id" is not expected here - amazon-web-services

I'm new to terraform.. I'm getting the below error when I run terraform plan,
Error: Unsupported argument
> │
on 4_data_vpc.tf line 6, in data "aws_subnets" "subnets":
6: vpc_id = data.aws_vpc.default_vpc.id
> │
An argument named "vpc_id" is not expected here.
This is the data_vpc.tf file
data "aws_vpc" "default_vpc" {
default = true
}
# subnet list in the "default" VPC
# The "default" VPC has all "public subnets"
data "aws_subnet_ids" "default_public" {
vpc_id = "${data.aws_vpc.default_vpc.id}"
}
I've updated aws_subnet_ids to aws_subnets as aws_subnet_ids data source has been deprecated
provider.tf file
provider "aws" {
region = "us-east-1"
shared_credentials_file = "~/.aws/credentials"
profile = "dev"
}
securityGroups.tf
# Security Group:
resource "aws_security_group" "jenkins_server" {
name = "jenkins_server"
description = "Jenkins Server: created by Terraform for [dev]"
# legacy name of VPC ID
vpc_id = "${data.aws_vpc.default_vpc.id}"
tags {
Name = "jenkins_server"
env = "dev"
}
}
###############################################################################
# ALL INBOUND
###############################################################################
# ssh
resource "aws_security_group_rule" "jenkins_server_from_source_ingress_ssh" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = "${aws_security_group.jenkins_server.id}"
cidr_blocks = ["<Your Public IP>/32", "172.0.0.0/8"]
description = "ssh to jenkins_server"
}
# web
resource "aws_security_group_rule" "jenkins_server_from_source_ingress_webui" {
type = "ingress"
from_port = 8080
to_port = 8080
protocol = "tcp"
security_group_id = "${aws_security_group.jenkins_server.id}"
cidr_blocks = ["0.0.0.0/0"]
description = "jenkins server web"
}
# JNLP
resource "aws_security_group_rule" "jenkins_server_from_source_ingress_jnlp" {
type = "ingress"
from_port = 33453
to_port = 33453
protocol = "tcp"
security_group_id = "${aws_security_group.jenkins_server.id}"
cidr_blocks = ["172.31.0.0/16"]
description = "jenkins server JNLP Connection"
}
###############################################################################
# ALL OUTBOUND
###############################################################################
resource "aws_security_group_rule" "jenkins_server_to_other_machines_ssh" {
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = "${aws_security_group.jenkins_server.id}"
cidr_blocks = ["0.0.0.0/0"]
description = "allow jenkins servers to ssh to other machines"
}
resource "aws_security_group_rule" "jenkins_server_outbound_all_80" {
type = "egress"
from_port = 80
to_port = 80
protocol = "tcp"
security_group_id = "${aws_security_group.jenkins_server.id}"
cidr_blocks = ["0.0.0.0/0"]
description = "allow jenkins servers for outbound yum"
}
resource "aws_security_group_rule" "jenkins_server_outbound_all_443" {
type = "egress"
from_port = 443
to_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.jenkins_server.id}"
cidr_blocks = ["0.0.0.0/0"]
description = "allow jenkins servers for outbound yum"
}
When I declare a variable vpc_id in the data_vpc.tf file and run terraform plan then the terminal is asking me to enter a value.
var.vpc_id
Enter a value:


When you are using aws_subnets, to add vpc_id, you have to use filter block:
data "aws_subnets" "subnets" {
filter {
name = "vpc-id"
values = [data.aws_vpc.default_vpc.id]
}
}

Related

Dynamic aws security groups and rules creation(terraform)

I’ve created primary_sg, secondary_sg_tcpci, secondary_sg_tcpqa, secondary_sq_tcpprod security groups.
primary_sg has three outbound rules to it and each one is associated with secondary_sg securitygroup as destination.
For secondary, I created three security groups secondary_sg_tcpci, secondary_sg_tcpqa and secondary_sg_tcpprod. Each of these security group inbound rules are associated again with same primary_sg securitygroup as source in it and referring to some local variables.
main.tf
data "aws_vpc" "default" {
id = "vpc-1234"
}
data "aws_security_groups" "server_sg"{
tags = {
name = "server_sg"
}
}
locals {
vpc_id = data.aws_vpc.default.id
server_jumpbox_security_groups = data.aws_security_groups.server_sg.id
}
####### primary_sg###########
resource "aws_security_group" "primary_sg" {
name = "primary_security_group"
description = "Allows outbound rules"
vpc_id = local.vpc_id
}
resource "aws_security_group_rule" "rule_01" {
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
source_security_group_id = aws_security_group.secondary_sg_tcpci.id ## Associating secondary_sg_tcpci as destination security group ####
description = "primary_sg rule01"
security_group_id = aws_security_group.primary_sg.id
}
resource "aws_security_group_rule" "rule_02" {
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
source_security_group_id = aws_security_group.secondary_sg_tcpqa.id ## Associating secondary_sg_tcpqa as destination security group ####
description = "primary_sg rule02"
security_group_id = aws_security_group.primary_sg.id
}
resource "aws_security_group_rule" "rule_03" {
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
source_security_group_id = aws_security_group.secondary_sg_tcpprod.id ## Associating secondary_sg_tcpprod as destination security group ####
description = "primary_sg rule02"
security_group_id = aws_security_group.primary_sg.id
}
########secondary_sg#########
resource "aws_security_group" "secondary_sg_tcpci" {
name = "secondary_sg_tcpci"
description = "RDS SG for TCPCI env"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = [local.server_jumpbox_security_groups]
description = "Server SG"
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = ["${aws_security_group.primary_sg.id}"]
description = "Secondary SG"
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_security_group" "secondary_sg_tcpqa" {
name = "secondary_sg_tcpqa"
description = "RDS SG for TCPQA env"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = [local.server_jumpbox_security_groups]
description = "Server SG"
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = ["${aws_security_group.primary_sg.id}"]
description = "Secondary SG"
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_security_group" "secondary_sg_tcpprod" {
name = "secondary_sg_tcpprod"
description = "RDS SG for TCPQA env"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = [local.server_jumpbox_security_groups]
description = "Server SG"
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = ["${aws_security_group.primary_sg.id}"]
description = "Secondary SG"
}
lifecycle {
create_before_destroy = true
}
}
I tried using for_each loop.
main.tf
resource "aws_security_group" "secondary_sg_tcpci" {
for_each = var.config
name = "${each.key}-rds"
description = "RDS SG for TCPCI env"
vpc_id = data.aws_vpc.default.id
dynamic "ingress" {
for_each = var.ingress_rules
iterator = port
content {
from_port = ingress.value.port
to_port = ingress.value.port
protocol = ingress.value.protocol
security_groups = ["${aws_security_group.primary_sg.id}"]
}
}
}
resource "aws_security_group" "primary_sg" {
name = "primary_security_group"
description = "Allows outbound rules"
vpc_id = local.vpc_id
}
resource "aws_security_group_rule" "rule_01" {
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
source_security_group_id = aws_security_group.secondary_sg_tcpci.id ## Associating secondary_sg_tcpci as destination security group ####
description = "primary_sg rule01"
security_group_id = aws_security_group.primary_sg.id
}
resource "aws_security_group_rule" "rule_02" {
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
source_security_group_id = aws_security_group.secondary_sg_tcpqa.id ## Associating secondary_sg_tcpqa as destination security group ####
description = "primary_sg rule02"
security_group_id = aws_security_group.primary_sg.id
}
vars.tf
variable "config" {
description = "Security groups configuration"
type = map(object({
name = string
}))
default = {
"sg-1" = {
name = "sg-1"
}
"sg-2" = {
name = "sg-2"
}
}
}
variable "ingress_rules" {
type = map(object({
port = number
protocol = string
}))
default = {
"22" = {
cidr_block = ["0.0.0.0/0"]
port = 22
protocol = "tcp"
}
"22" = {
cidr_block = ["0.0.0.0/0"]
port = 22
protocol = "tcp"
}
}
}

Since you are creating the SG with for_each, you can only access the SG attributes but using proper keys. There is also a small error in other parts of code as in the dynamic block you are setting the iterator and then later on in the content you are not using it, so you can drop it (as it will default to the dynamic block name which is ingress):
resource "aws_security_group" "secondary_sg_tcpci" {
for_each = var.config
name = "${each.key}-rds"
description = "RDS SG for TCPCI env"
vpc_id = data.aws_vpc.default.id
dynamic "ingress" {
for_each = var.ingress_rules
content {
from_port = ingress.value.port
to_port = ingress.value.port
protocol = ingress.value.protocol
security_groups = [aws_security_group.primary_sg.id]
}
}
}
resource "aws_security_group" "primary_sg" {
name = "primary_security_group"
description = "Allows outbound rules"
vpc_id = local.vpc_id
}
resource "aws_security_group_rule" "rule_01" {
for_each = aws_security_group.secondary_sg_tcpci
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
source_security_group_id = each.value.id # <--- this is how you would reference the security IDs for all the SGs created with `for_each`
description = "primary_sg rule01"
security_group_id = aws_security_group.primary_sg.id
}
This is only for the one SG created with for_each. This technique is called resource chaining with for_each [1]. If you need to repeat the same for other SGs (tcpqa, tcpprod etc.) you would have to adjust the rest of the code.
[1] https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#chaining-for_each-between-resources

User_data not working in Launch configuration. Is it a problem with my security group or my Launch configuration?

I am currently learning Terraform and I need help with regard to the below code. I want to create a simple architecture of an autoscaling group of EC2 instances behind an Application load balancer. The setup gets completed but when I try to access the application endpoint, it gets timed out. When I tried to access the EC2 instances, I was unable to (because EC2 instances were in a security group allowing access from the ALB security group only). I changed the instance security group ingress values and ran the user_data script manually following which I reverted the changes to the instance security group to complete my setup.
My question is why is my setup not working via the below code? Is it because the access is being restricted by the load balancer security group or is my launch configuration block incorrect?
data "aws_ami" "amazon-linux" {
most_recent = true
owners = ["amazon"]
filter {
name = "name"
values = ["amzn2-ami-kernel-5.10-hvm-2.0.20220426.0-x86_64-gp2"]
}
}
data "aws_availability_zones" "available" {
state = "available"
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "3.14.0"
name = "main-vpc"
cidr = "10.0.0.0/16"
azs = data.aws_availability_zones.available.names
public_subnets = ["10.0.4.0/24","10.0.5.0/24","10.0.6.0/24"]
enable_dns_hostnames = true
enable_dns_support = true
}
resource "aws_launch_configuration" "TestLC" {
name_prefix = "Lab-Instance-"
image_id = data.aws_ami.amazon-linux.id
instance_type = "t2.nano"
key_name = "CloudformationKeyPair"
user_data = file("./user_data.sh")
security_groups = [aws_security_group.TestInstanceSG.id]
lifecycle {
create_before_destroy = true
}
}
resource "aws_autoscaling_group" "TestASG" {
min_size = 1
max_size = 3
desired_capacity = 2
launch_configuration = aws_launch_configuration.TestLC.name
vpc_zone_identifier = module.vpc.public_subnets
}
resource "aws_lb_listener" "TestListener"{
load_balancer_arn = aws_lb.TestLB.arn
port = "80"
protocol = "HTTP"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.TestTG.arn
}
}
resource "aws_lb" "TestLB" {
name = "Lab-App-Load-Balancer"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.TestLoadBalanceSG.id]
subnets = module.vpc.public_subnets
}
resource "aws_lb_target_group" "TestTG" {
name = "LabTargetGroup"
port = "80"
protocol = "HTTP"
vpc_id = module.vpc.vpc_id
}
resource "aws_autoscaling_attachment" "TestAutoScalingAttachment" {
autoscaling_group_name = aws_autoscaling_group.TestASG.id
lb_target_group_arn = aws_lb_target_group.TestTG.arn
}
resource "aws_security_group" "TestInstanceSG" {
name = "LAB-Instance-SecurityGroup"
ingress{
from_port = 80
to_port = 80
protocol = "tcp"
security_groups = [aws_security_group.TestLoadBalanceSG.id]
}
ingress{
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = [aws_security_group.TestLoadBalanceSG.id]
}
egress{
from_port = 0
to_port = 0
protocol = "-1"
security_groups = [aws_security_group.TestLoadBalanceSG.id]
}
vpc_id = module.vpc.vpc_id
}
resource "aws_security_group" "TestLoadBalanceSG" {
name = "LAB-LoadBalancer-SecurityGroup"
ingress{
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress{
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress{
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
vpc_id = module.vpc.vpc_id
}

Terraform ec2 instance don't creating

Hello i have tf file for create my ec2 instance
resource "aws_vpc" "magazin-vpc" {
cidr_block = 10.249.0.0/16
}
resource "aws_subnet" "magazin-subnet" {
vpc_id = aws_vpc.magazin-vpc.id
cidr_block = "10.249.2.0/28"
}
resource "aws_instance" "magazin-vm" {
ami = "ami-058c02d7640104f1e"
instance_type = "t2.micro"
private_ip = "10.249.2.5"
subnet_id = aws_subnet.magazin-subnet.id
vpc_security_group_ids = [aws_security_group.magazin-sg.id]
credit_specification {
cpu_credits = "unlimited"
}
}
resource "aws_ebs_volume" "magazin-ebs" {
availability_zone = "eu-north-1a"
size = 10
tags = {
Name = "magazin-ebs"
}
}
resource "aws_volume_attachment" "magazin-ebs-att" {
device_name = "/dev/sdh"
volume_id = aws_ebs_volume.magazin-ebs.id
instance_id = aws_instance.magazin-vm.id
}
resource "aws_security_group" "magazin-sg" {
name = "magazin-sg"
ingress {
description = "Allow port SSH from office"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["172.16.0.0/24"]
}
ingress {
description = "Allow port HTTPS"
from_port = 9200
to_port = 9200
protocol = "tcp"
cidr_blocks = ["172.16.0.0/24"]
}
ingress {
description = "Allow port HTTPS"
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = ["172.16.0.0/24"]
}
egress {
description = "Allow ALL ports"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
and when i launch terraform apply i got
│ Error: Error launching source instance: InvalidParameter: Security group sg-090289f530fb61f8d and subnet subnet-08d14b2d736d10286 belong to different networks.
│ status code: 400, request id: 953d0bb8-cf92-4d8c-9923-d911cec3b453
│
│ with aws_instance.magazin-vm,
│ on dev-aerospike.tf line 6, in resource "aws_instance" "magazin-vm":
│ 6: resource "aws_instance" "magazin-vm" {
│
why this error happens? because i declarate vpc and subnet in my terraform file
i'm using terraform 1.1.6
p.s the site says that the text should be longer but I don't know what else to write so I'll write that terraform is a cool thing, though I still don't know how to use it

You have to specify vpc_id in your aws_security_group. Without that your group will be created in a default VPC, not the one you are creating:
resource "aws_security_group" "magazin-sg" {
name = "magazin-sg"
vpc_id = aws_vpc.magazin-vpc.id
ingress {
description = "Allow port SSH from office"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["172.16.0.0/24"]
}
ingress {
description = "Allow port HTTPS"
from_port = 9200
to_port = 9200
protocol = "tcp"
cidr_blocks = ["172.16.0.0/24"]
}
ingress {
description = "Allow port HTTPS"
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = ["172.16.0.0/24"]
}
egress {
description = "Allow ALL ports"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}

Unable to parse cidr_block from terraform data source

I'm trying to create a security group that will automatically append the cidr blocks from 2 subnets based from the data source filtered results. However I'm getting the error when deploying using terraform v12 variant
data "aws_vpc" "my-vpc" {
filter {
name = "tag:MY_VPC"
values = ["TRUE"]
}
}
data "aws_subnet_ids" "my-subnets" {
vpc_id = data.aws_vpc.my-vpc.id
filter {
name = "tag:NAME"
values = ["MY_SUBNET"]
}
}
resource "aws_security_group" "my-sg" {
name = "my-sg"
description = "my-sg"
vpc_id = data.aws_vpc.my-vpc.id
ingress {
from_port = 443
protocol = "tcp"
to_port = 443
cidr_blocks = ["${data.aws_subnet_ids.my-subnets.*.cidr_block}"]
}
ingress {
from_port = 22
protocol = "tcp"
to_port = 22
cidr_blocks = ["${data.aws_subnet_ids.my-subnets.*.cidr_block}"]
}
ingress {
from_port = 80
protocol = "tcp"
to_port = 80
cidr_blocks = ["${data.aws_subnet_ids.my-subnets.*.cidr_block}"]
}
egress {
from_port = 0
protocol = "-1"
to_port = 0
cidr_blocks = ["${data.aws_subnet_ids.my-subnets.*.cidr_block}"]
}
}
ERROR Im getting
on terraform/my-sg.tf line 27, in resource "aws_security_group" "my-sg":
31: cidr_blocks = ["${data.aws_subnet_ids.my-subnets.*.cidr_block}"]
This object does not have an attribute named "cidr_block".

Data source aws_subnet_ids only returns subnet ids, not cider ranges. To get cidr you have to use aws_subnet:
data "aws_subnet_ids" "my-subnets" {
vpc_id = data.aws_vpc.my-vpc.id
filter {
name = "tag:NAME"
values = ["MY_SUBNET"]
}
}
data "aws_subnet" "selected" {
for_each = data.aws_subnet_ids.my-subnets.ids
id = each.value
}
Then you would use the data:
cidr_blocks = "${values(data.aws_subnet.selected).*.cidr_block}"

How to launch an EFS in the default VPC?

I am trying to launch an EFS file system in my default VPC. I am able to create the EFS but not able to mount the target in all subnets. In subnet_id I not sure how to pass the value of all the subnet ids of default VPC. Below is my Terraform code:
$ cat ec2.tf
provider "aws" {
[enter image description here][1]region = "ap-south-1"
profile = "saumikhp"
}
data "aws_vpc" "default" {
default = true
}
data "aws_subnet_ids" "example" {
vpc_id = var.vpc_id
}
data "aws_subnet" "example" {
for_each = data.aws_subnet_ids.example.ids
id = each.value
}
resource "aws_key_pair" "key" {
key_name = "mykey12345"
public_key = file("mykey12345.pub")
}
resource "aws_security_group" "web-sg" {
name = "web-sg"
description = "Allow port 22 and 80"
vpc_id = "vpc-18819d70"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 2049
to_port = 2049
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "web-sg"
}
}
resource "aws_instance" "myinstance" {
ami = "ami-0447a12f28fddb066"
instance_type = "t2.micro"
key_name = "mykey12345"
security_groups = ["web-sg"]
connection {
type = "ssh"
user = "ec2-user"
private_key = file("mykey12345")
host = aws_instance.myinstance.public_ip
}
provisioner "remote-exec" {
inline = [
"sudo yum install httpd php git -y",
"sudo systemctl restart httpd",
"sudo systemctl enable httpd",
]
}
tags = {
Name = "SaumikOS"
}
}
resource "aws_efs_file_system" "efs" {
creation_token = "efs"
performance_mode = "generalPurpose"
throughput_mode = "bursting"
encrypted = "true"
tags = {
Name = "EfsExample"
}
}
resource "aws_efs_mount_target" "efs-mt" {
depends_on = [
aws_instance.myinstance,
]
for_each = data.aws_subnet_ids.example.ids
subnet_id = each.value
file_system_id = "aws_efs_file_system.efs.id"
security_groups = ["aws_security_group.web-sg.id"]
}
Error after running terraform apply

You can get the subnets from the default VPC by using a combination of the aws_vpc and aws_subnet_ids data sources.
data "aws_vpc" "default" {
default = true
}
data "aws_subnet_ids" "example" {
vpc_id = var.vpc_id
}
You can then create an EFS mount target in each of the subnets by looping over these (each mount target only takes a single subnet_id):
resource "aws_efs_mount_target" "efs-mt" {
for_each = data.aws_subnet_ids.example.ids
file_system_id = aws_efs_file_system.efs.id
subnet_id = each.value
security_groups = [aws_security_group.web-sg.id]
}