I am trying to use terraform to spin up a VPC and single instance and then connect via ssh but I'm unable to. I'm aware I don't have any keys here but I'm trying to simply connect via the web terminal and it still says
There was a problem setting up the instance connection The connection
has been closed because the server is taking too long to respond. This
is usually caused by network problems, such as a spotty wireless
signal, or slow network speeds. Please check your network connection
and try again or contact your system administrator.
Is anyone able to look at my code and see what I'm doing wrong?
provider "aws" {
region = "us-east-2"
}
resource "aws_vpc" "vpc" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "test"
}
}
resource "aws_internet_gateway" "gateway" {
vpc_id = "${aws_vpc.vpc.id}"
tags = {
Name = "test"
}
}
resource "aws_subnet" "subnet" {
vpc_id = "${aws_vpc.vpc.id}"
cidr_block = "${aws_vpc.vpc.cidr_block}"
availability_zone = "us-east-2a"
map_public_ip_on_launch = true
tags = {
Name = "test"
}
}
resource "aws_route_table" "table" {
vpc_id = "${aws_vpc.vpc.id}"
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.gateway.id}"
}
tags = {
Name = "test"
}
}
resource "aws_route_table_association" "public" {
subnet_id = "${aws_subnet.subnet.id}"
route_table_id = "${aws_route_table.table.id}"
}
resource "aws_instance" "node" {
#ami = "ami-0d5d9d301c853a04a" # Ubuntu 18.04
ami = "ami-0d03add87774b12c5" # Ubuntu 16.04
instance_type = "t2.micro"
subnet_id = "${aws_subnet.subnet.id}"
}
UPDATE1: I've added key_name = "mykey" which I have previously created. I am unable to ping the public ip and upon trying to ssh with the key I get the following:
$ ssh -v -i ~/.ssh/mykey ubuntu#1.2.3.4
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to 1.2.3.4 [1.2.3.4] port 22.
where mykey and 1.2.3.4 have been changed for posting.
UPDATE2: Looking at the security group I don't see anything which stands out. The ACL for this has the following:
Rule # Type Protocol Port Range Source Allow / Deny
100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
* ALL Traffic ALL ALL 0.0.0.0/0 DENY
Is this a problem? It seems that no one sees an issue with the terraform code so if anyone can confirm this is not a problem with the code then I think this can be closed out and moved to a different board since it would not be a code issue, correct?
The web console uses SSH to connect, so you still need to setup an SSH key. The only way to connect without an SSH key configured, and port 22 open in the Security Group, is to use AWS Systems Manager Session Manager, but that requires the SSM agent running on the EC2 instance and appropriate IAM roles assigned to the instance.
You have not supplied a key_name to indicate which SSH keypair to use.
If you don't have an existing aws_key_pair then you will also need to create one.
Related
I really can't figure out why I'm unable to SSH into my newly created EC2 instance and can't figure out why for the life of me.
Here is some of my code in Terraform where I created the EC2 and security groups for it.
This is my EC2 code
resource "aws_key_pair" "AzureDevOps" {
key_name = var.infra_env
public_key = var.public_ssh_key
}
# Create network inferface for EC2 instance and assign secruity groups
resource "aws_network_interface" "vm_nic_1" {
subnet_id = var.subnet_id
private_ips = ["10.0.0.100"]
tags = {
Name = "${var.infra_env}-nic-1"
}
security_groups = [
var.ssh_id
]
}
# Add elastic IP addresss for public connectivity
resource "aws_eip" "vm_eip_1" {
vpc = true
instance = aws_instance.virtualmachine_1.id
associate_with_private_ip = "10.0.0.100"
depends_on = [var.gw_1]
tags = {
Name = "${var.infra_env}-eip-1"
}
}
# Deploy virtual machine using Ubuntu ami
resource "aws_instance" "virtualmachine_1" {
ami = var.ami
instance_type = var.instance_type
key_name = aws_key_pair.AzureDevOps.id
#retrieve the Administrator password
get_password_data = true
connection {
type = "ssh"
port = 22
password = rsadecrypt(self.password_data, file("id_rsa"))
https = true
insecure = true
timeout = "10m"
}
network_interface {
network_interface_id = aws_network_interface.vm_nic_1.id
device_index = 0
}
user_data = file("./scripts/install-cwagent.ps1")
tags = {
Name = "${var.infra_env}-vm-1"
}
}
Here is the code for my security group
resource "aws_security_group" "ssh" {
name = "allow_ssh"
description = "Allow access to the instance via ssh"
vpc_id = var.vpc_id
ingress {
description = "Access the instance via ssh"
from_port = 22
to_port = 22
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.infra_env}-allow-ssh"
}
}
If I need to provide any more code or information I can, it's my first time trying to do this and it's frustrating trying to figure it out. I'm trying to use Putty as well and not sure if I just don't know how to use it correctly or if it's something wrong with my EC2 configuration.
I used my public ssh key from my computer for the variable in my aws_key_pair resource. I saved my public ssh key pair as a .ppk file for putty and on my aws console when I go to "connect" it says to use ubuntu#10.0.0.100 for my host name in Putty which I did and when I click okay and it tries to connect it gets a network error connection timed out
I used my public ssh key
You need to use your private key, not public.
use ubuntu#10.0.0.100
10.0.0.100 is private IP address. To be able to connect to your instance over the internet you need to use public IP address.
I'm trying to learn wireguard. I found this great tutorial on how to install it on GCP ....
https://sreejithag.medium.com/set-up-wireguard-vpn-with-google-cloud-57bb3267a6ef
Very basic (for somebody new to wireguard) but it did work. The tutorial shows a vm being provisioned with ip forwarding.Through the GCP web interface
I wanted to set this up with terraform. I've searched the terraform registry and found this...
https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_forwarding_rule
Heres's my main.tf with the virtual machine provisioning. Where would I put something like ip forwarding? Without terraform complaining?
code---
# This is the provider used to spin up the gcloud instance
provider "google" {
project = var.project_name
region = var.region_name
zone = var.zone_name
credentials = "mycredentials.json"
}
# Locks the version of Terraform for this particular use case
terraform {
required_version = "0.14.6"
}
# This creates the google instance
resource "google_compute_instance" "vm_instance" {
name = "development-vm"
machine_type = var.machine_size
tags = ["allow-http", "allow-https", "allow-dns", "allow-tor", "allow-ssh", "allow-2277", "allow-mosh", "allow-whois", "allow-openvpn", "allow-wireguard"] # FIREWALL
boot_disk {
initialize_params {
image = var.image_name
size = var.disk_size_gb
}
}
network_interface {
network = "default"
# Associated our public IP address to this instance
access_config {
nat_ip = google_compute_address.static.address
}
}
# We connect to our instance via Terraform and remotely executes our script using SSH
provisioner "remote-exec" {
script = var.script_path
connection {
type = "ssh"
host = google_compute_address.static.address
user = var.username
private_key = file(var.private_key_path)
}
}
}
# We create a public IP address for our google compute instance to utilize
resource "google_compute_address" "static" {
name = "vm-public-address"
}
For WireGuard, you need to enable IP Forwarding. The resource you are trying to use is for HTTP(S) Load Balancers.
Instead enable the google_compute_instance resource attribute can_ip_forward.
can_ip_forward - (Optional) Whether to allow sending and receiving of
packets with non-matching source or destination IPs. This defaults to
false.
can_ip_forward
resource "google_compute_instance" "vm_instance" {
name = "development-vm"
machine_type = var.machine_size
can_ip_forward = true
....
}
I try to learn Terraform.
Want to install some stuff on an EC2 and connect from ssh.
I have created a new ssh-key pair for this.
When i try to ssh -i ssh-keys/id_rsa_aws ubuntu#52.47.123.18 I got the error
Permission denied (publickey).
Here a sample of my .tf script.
resource "aws_instance" "airflow" {
ami = "ami-0d3f551818b21ed81"
instance_type = "t3a.xlarge"
key_name = "admin"
vpc_security_group_ids = [aws_security_group.ssh-group.id]
tags = {
"Name" = "airflow"
}
subnet_id = aws_subnet.ec2_subnet.id
}
resource "aws_key_pair" "admin" {
key_name = "admin"
public_key = "ssh-rsa ........" # I cat my key.pub fot this
}
EDIT
Thanks to #GrzegorzOledzki I see that the issue come from my subnet work. Here the files.
gateway.tf
resource "aws_internet_gateway" "my_gateway" {
vpc_id = aws_vpc.my_vpc.id
tags = {
Name = "my-gateway"
}
}
network.tf
resource "aws_vpc" "my_vpc" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "my-vpc"
}
}
resource "aws_eip" "airflow_ip" {
instance = aws_instance.airflow.id
vpc = true
}
security_group.tf
resource "aws_security_group" "ssh-group" {
name = "ssh-group"
vpc_id = aws_vpc.my_vpc.id
ingress {
# TLS (change to whatever ports you need)
from_port = 22
to_port = 22
protocol = "tcp"
# Please restrict your ingress to only necessary IPs and ports.
# Opening to 0.0.0.0/0 can lead to security vulnerabilities.
cidr_blocks = ["my.ip.from.home/32"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
subnet.tf
resource "aws_subnet" "ec2_subnet" {
cidr_block = cidrsubnet(aws_vpc.my_vpc.cidr_block, 3, 1)
vpc_id = aws_vpc.my_vpc.id
availability_zone = "eu-west-3c"
}
resource "aws_route_table" "my_route_table" {
vpc_id = aws_vpc.my_vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.my_gateway.id
}
tags = {
Name = "my_route_table"
}
}
resource "aws_route_table_association" "subnet_association" {
route_table_id = aws_route_table.my_route_table.id
subnet_id = aws_subnet.ec2_subnet.id
}
EDIT 2
I destroy everything then rebuilt it and it's working. I'm not sure but I have create my EC2 instance before making and linking the custom-vpc, subnet and security group. It was like something (what ?) went wrong and it couldn't not reassign everything to my instance.
Currenly that pem key has read permission only for users (chmod 400 *.pem). In this case, you need to enable read permission for others also (chmod 404 / chmod o=r *.pem).
I ran in to the same issue and the fix for me too was to just terraform destroy and then rebuilding the infrastructure.
The root cause for my issues was that I had first created and set the key pair for the ec2 instance, but I didn't output/save the private key at all. After creating the ec2 instance with the key pair, I added output + save functionality to the generated ssh keys, but they were actually not the key pair that was set to the ec2 instance, but instead just a new generated one. Now that I generated the key pair set for the newly created instance and saved the output from the private key I could ssh successfully in to the instance
I'm following this terraform tutorial found at gruntwork.io. I can use $ terraform apply to spin up a virtual machine, which shows in the aws console with a public facing ip address and everything. Unfortunately the instance seems to be attached to a previously defined security group and doesn't seems to be responding to ssh or curl as l might expect.
I've modified the security group so that the proper ports are open, and modified the tutorials main.tf file in an attempt to add a user account that l can use to at least see what's running on the vm with.
The results of terraform apply can be seen here
When l try to ssh into the instance with the test user and the associated private key l get a response of permission denied (this also happens if l try logging in as the default user, ubuntu). What am l misunderstanding that the security groups aren't being defined properly and that the user isn't being added to the instance properly. The tutorial was written for terraform 0.7, and l'm running with 0.11.10, but l can't imagine that something so basic would change.
The modified main.tf file is as follows
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# DEPLOY A SINGLE EC2 INSTANCE
# This template uses runs a simple "Hello, World" web server on a single EC2 Instance
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ------------------------------------------------------------------------------
# CONFIGURE OUR AWS CONNECTION
# ------------------------------------------------------------------------------
provider "aws" {
region = "us-east-1"
}
# ---------------------------------------------------------------------------------------------------------------------
# DEPLOY A SINGLE EC2 INSTANCE
# ---------------------------------------------------------------------------------------------------------------------
resource "aws_instance" "example" {
# Ubuntu Server 14.04 LTS (HVM), SSD Volume Type in us-east-1
ami = "ami-2d39803a"
instance_type = "t2.micro"
vpc_security_group_ids = ["${aws_security_group.instance.id}"]
user_data = <<-EOF
#!/bin/bash
echo "Hello, World" > index.html
nohup busybox httpd -f -p "${var.server_port}" &
EOF
tags {
Name = "terraform-example"
}
}
# ---------------------------------------------------------------------------------------------------------------------
# CREATE THE SECURITY GROUP THAT'S APPLIED TO THE EC2 INSTANCE
# ---------------------------------------------------------------------------------------------------------------------
resource "aws_security_group" "instance" {
name = "terraform-example-instance"
# Inbound HTTP from anywhere
ingress {
from_port = "${var.server_port}"
to_port = "${var.server_port}"
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
# Inbound SSH from anywhere
ingress {
from_port = "22"
to_port = "22"
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
variable "server_port" {
description = "The port the server will user for the HTTP requests"
default = 8080
}
# ---------------------------------------------------------------------------------------------------------------------
# Try to add a user to the spun up machine that we can ssh into the account of
# ---------------------------------------------------------------------------------------------------------------------
resource "aws_iam_user" "user" {
name = "test-user"
path = "/"
}
resource "aws_iam_user_ssh_key" "user" {
username = "${aws_iam_user.user.name}"
encoding = "SSH"
public_key = <public_key>
}
You did not specify any keypair name while creating ec2 instance.
For using ubuntu user for ssh you should specify keypair name
Terraform Version: v0.11.8
I am trying to update the rule of security group which is in another region (Ireland) after deploying my current security group (Ohio).
Below is my code snippet:
variable "aws_account_id" {}
terraform {
backend "s3" {}
}
provider "aws" {
region = "us-east-2"
allowed_account_ids = ["${var.aws_account_id}"]
}
provider "aws" {
alias = "TestApp"
region = "eu-west-1"
}
data "aws_security_group" "test_sg" {
provider = "aws.TestApp"
name = "test-sg"
}
resource "aws_security_group" "test1_sg" {
name = "Test 1"
vpc_id = "VPC ID"
}
resource "aws_security_group_rule" "allow_test1_access_test_sg" {
provider = "aws.TestApp"
type = "ingress"
from_port = "80"
to_port = "80"
protocol = "tcp"
security_group_id = "${data.aws_security_group.test_sg.id}"
source_security_group_id = "${aws_security_group.test1_sg.id}"
}
I am getting circular dependency like below.
Case 1: Run above code, Getting error that test1_sg security group does not exist.
Case 2: Run above code without provider = "aws.TestApp" in aws_security_group_rule, Getting error that test_sg security group does not exist.
Case 3: Run above code without provider = "aws.TestApp" in data "aws_security_group" "test_sg" , Getting error that test_sg security group does not exist.
I am not sure this is 100% issue of inter-region communication but it seems like this is the case.
Note: The above error is coming while running terraform apply. Plan is showing correct change without any error.
Any help will be highly appreciated.
Thanks!
Ok so finally i found the answer.
As per Amazon documentation...
You cannot reference the security group of a peer VPC that's in a
different region. Instead, use the CIDR block of the peer VPC.
AWS Doc: Updating Your Security Groups to Reference Peer VPC Groups
I need to use cidr block instead of the security group while referencing in cross region.
As far as I can see with your case 1, your source security group should be "test1_sg". There is no security group with the name "test1_access_test2". Use this.
source_security_group_id = "${aws_security_group.test1_sg.id}"
Otherwise, go and check on your console whether that security group exists or not.