2

Is it possible to create an EC2 instance while reusing already existing VPC?

Running the following code yields Error launching source instance: VPCIdNotSpecified: No default VPC for this user. GroupName is only supported for EC2-Classic and default VPC. (status code: 400):

data "aws_security_groups" "my_tib_sg" {
  tags = {
    Name = "my-security-group"
  }
}

resource "aws_instance" "nginx" {
  ami                    = data.aws_ami.aws-linux.id
  instance_type          = "t2.micro"
  key_name               = var.key_name
  vpc_security_group_ids = [data.aws_security_groups.my_tib_sg.id]

  # more, irrelevant stuff...
}

FWIU from the error, the aws_instance block requires a reference to my VPC, which basically exists in my security group. Besides, I can't find a way to refer a VPC in an aws_instance block.

Updating code per answers:

I updated the code per answers below:

data "aws_security_groups" "my_tib_sg" {
  tags = {
    Name = "my-tib-sg"
  }
}

data "aws_subnet" "my_subnet" {
  tags = {
    Name = "my-tib-subnet-1"
  }
}

resource "aws_network_interface" "my_ani" {
  subnet_id = data.aws_subnet.my_subnet.id
  private_ips = ["10.0.0.10"]

  tags = {
    Name = "my-tib-ani"
    by = "TF_TF"
  }
}

resource "aws_instance" "nginx" {
  ami                    = data.aws_ami.aws-linux.id
  instance_type          = "t2.micro"
  key_name               = var.key_name
  vpc_security_group_ids = [data.aws_security_groups.my_tib_sg.id]

  network_interface {
    network_interface_id = aws_network_interface.my_ani.id
    device_index = 0
  }

  connection {
    type        = "ssh"
    host        = self.public_ip
    user        = "ec2-user"
    private_key = file(var.private_key_path)

  }

  provisioner "remote-exec" {
    inline = [
      "sudo yum install nginx -y",
      "sudo service nginx start"
    ]
  }
}

But the error changes to "network_interface": conflicts with vpc_security_group_ids.

(needless to mention: both my_subnet and my_tib_sg use same VPC)

Improve this question

3 Answers 3

Reset to default
2

I typically use the subnet_id parameter, directly on the aws_instance resource:

data "aws_security_groups" "my_tib_sg" {
  tags = {
    Name = "my-tib-sg"
  }
}

data "aws_subnet" "my_subnet" {
  tags = {
    Name = "my-tib-subnet-1"
  }
}

resource "aws_instance" "nginx" {
  ami                    = data.aws_ami.aws-linux.id
  instance_type          = "t2.micro"
  key_name               = var.key_name
  vpc_security_group_ids = [data.aws_security_groups.my_tib_sg.ids[0]]

  # specify the subnet_id here
  subnet_id              = data.aws_subnet.my_subnet.id

  # more, irrelevant stuff...
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

That gives me Error launching source instance: InvalidGroup.NotFound: The security group 'us-east-1' does not exist in VPC 'vpc-08eb9a805c513e234' status code: 400, request id: c3e03d1d-ba50-4aec-87b3-d628ca95b234, (even though that security group does refer to that VPC)
I fixed the code above. You use the attribute "id" of the "aws_security_groups" data source, which is the AWS Region according to the documentation (registry.terraform.io/providers/hashicorp/aws/latest/docs/…). You should use the "ids" property instead, and get the first one since there is probably only one security group with the given name. Sorry about that, I focused on the problem you described, not the other ones laying around ;)
1

Yes, you can add a new EC2 instance to an existing VPC.

You should provide the subnet_id to aws_instance. You would typically pass that into Terraform as a parameter, rather than hard-coding its value into your template.

Note: the subnet ID implicitly indicates the actual VPC (because a subnet only exists in one VPC).

Improve this answer

Comments

0

Is it possible to create an EC2 instance while reusing already existing VPC?

yes you can create an ec2 instance with an existing VPC. You can use a Data Source: aws_vpc to query existing VPC and then further reference the same in your resource like Resource: aws_instance below:

variable "vpc_id" {}

data "aws_vpc" "selected" {
  id = var.vpc_id
}

resource "aws_subnet" "example" {
  vpc_id            = data.aws_vpc.selected.id
  availability_zone = "us-west-2a"
  cidr_block        = cidrsubnet(data.aws_vpc.selected.cidr_block, 4, 1)
}

resource "aws_security_group" "allow_tls" {
  name        = "allow_tls"
  description = "Allow TLS inbound traffic"
  vpc_id      = data.aws_vpc.selected.id

  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "allow_tls"
  }
}

resource "aws_network_interface" "foo" {
  subnet_id   = aws_subnet.example.id
  private_ips = ["172.16.10.100"]
  security_groups = [aws_security_group.allow_tls.id]

  tags = {
    Name = "primary_network_interface"
  }
}


resource "aws_instance" "foo" {
  ami           = "ami-005e54dee72cc1d00" # us-west-2
  instance_type = "t2.micro"

  network_interface {
    network_interface_id = aws_network_interface.foo.id
    device_index         = 0
  }

  credit_specification {
    cpu_credits = "unlimited"
  }
}
Improve this answer

3 Comments

See my update above: I followed this suggestion, but seems I have some conflict now: "network_interface": conflicts with vpc_security_group_ids
@Tar The aws_network_interface resource allows you to set the security group for the interface (security groups are scoped by the ENI so this makes sense) so if you define the network_interface block then you're overriding the default ENI and so can't specify security groups at the instance level.
The problem is that I'm trying to reuse already existing resources - when using data "aws_subnet" "my_subnet" (rather than resource "aws_subnet" "my_subnet") and data "aws_security_groups" "my_tib_sg" (rather than resource "aws_security_groups" "my_tib_sg"), then it's not working (error: Error creating ENI: InvalidParameterValue: user 123456123456 does not own a resource us-east-1 status code: 400, request id: bb97c9a1-3219-4833-93df-fcd90bf50234)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.