Почему Terraform обнаруживает группу безопасности в другом VPC для подсети?

Question

План Terraform работает нормально, но при запуске terraform apply я получаю следующую ошибку:

Группа безопасности sg-XXXXX и подсеть-подсеть-Defaul1a принадлежат разным сетей.

Вот код Terraform, который я пытаюсь применить:

variable "region" {
  default = "eu-west-1"
}

variable "zones" {
  type = "map"
  default = {
    "eu-west-1a" = "euw1-az2"
    "eu-west-1b" = "euw1-az3"
    "eu-west-1c" = "euw1-az1"
  }
}

variable "default_kp" {
  type = "string"
  default = "ireland-dev-my_own_project-default-kp"
}

data "aws_ami" "ami_amazon" {
  name_regex = "^amzn2-ami-hvm"
  most_recent = true
  owners = ["137112412989"]

  filter {
    name   = "root-device-type"
    values = ["ebs"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  filter {
    name   = "architecture"
    values = ["x86_64"]
  }
}

#   VPC
resource "aws_vpc" "ireland-dev-my_own_project-main_vpc" {
 cidr_block = "10.0.0.0/16"
 enable_dns_hostnames = true
 enable_dns_support = true

 tags = {
   Name = "ireland-dev-my_own_project-main_vpc"
   environment = "dev"
   application = "my_own_project-main"
 }
}

#   InternetGateway
resource "aws_internet_gateway" "ireland-dev-my_own_project-main_ig" {
 vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
}

#Public Subnet's
resource "aws_subnet" "ireland-dev-my_own_project-sn-pub-1a" {
  cidr_block = "10.0.10.0/24"
  vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
  availability_zone_id = "${var.zones.eu-west-1a}"
  tags = {
    Name = "ireland-dev-my_own_project-sn-pub-1a"
    environment = "dev"
    application = "my_own_project-main"
    finality = "publishing"
  }
}

#   Route Table
resource "aws_route_table" "ireland-dev-my_own_project-main_route_table" {
  vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = "${aws_internet_gateway.ireland-dev-my_own_project-main_ig.id}"
  }

  tags = {
    Name = "ireland-dev-my_own_project-main_route_table"
    environment = "dev"
    application = "my_own_project-main"
    finality = "publishing"
  }
}

#   Route Tables asotiation with Public Subnets
resource "aws_route_table_association" "ireland-dev-my_own_project-route_pub1a" {
  route_table_id = "${aws_route_table.ireland-dev-my_own_project-main_route_table.id}"
  subnet_id = "${aws_subnet.ireland-dev-my_own_project-sn-pub-1a.id}"
}

#   Security Group's and Rules
resource "aws_security_group" "sg_local" {
  vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
  description = "IP Cristian Sacristan Home"

  tags = {
    Name = "ireland-dev-my_own_project-sg-cs_local"
    env = "dev"
    application = "my_own_project-main"
    finality = "bastion"
  }
}

resource "aws_security_group_rule" "sg-local-ssh-cs_home" {
  type = "ingress"
  from_port = 22
  to_port = 22
  protocol = "tcp"
  security_group_id = "${aws_security_group.sg_local.id}"
  cidr_blocks = ["8.8.8.8/32"] # MyIP
}

resource "aws_security_group" "sg_bastion" {
  vpc_id = "${aws_vpc.ireland-dev-my_own_project-main_vpc.id}"
  description = "SG for bastion host"

  tags = {
    Name = "ireland-dev-my_own_project-sg-bastion"
    env = "dev"
    application = "my_own_project-main"
    finality = "bastion"
  }
}

#   Instances
resource "aws_instance" "bastion" {
  ami = "${data.aws_ami.ami_amazon.id}"
  instance_type = "t2.micro"
  availability_zone = "${aws_subnet.ireland-dev-my_own_project-sn-pub-1a.availability_zone}"
  vpc_security_group_ids = ["${aws_security_group.sg_local.id}","${aws_security_group.sg_bastion.id}"]
  key_name = "${var.default_kp}"
  associate_public_ip_address = true

  tags = {
    Name = "ireland-dev-my_own_project-ec2ins-bastion"
    env = "dev"
    application = "my_own_project-main"
    finality = "bastion"
  }
}

Полный apply вывод:

aws_vpc.ireland-dev-my_own_project-main_vpc: Creating...
aws_vpc.ireland-dev-my_own_project-main_vpc: Creation complete after 3s [id=vpc-AAAAAAAAAAAAA]
aws_internet_gateway.ireland-dev-my_own_project-main_ig: Creating...
aws_subnet.ireland-dev-my_own_project-sn-pub-1a: Creating...
aws_security_group.sg_bastion: Creating...
aws_subnet.ireland-dev-my_own_project-sn-pub-1a: Creation complete after 1s [id=subnet-AAAAAAAAAAA]
aws_internet_gateway.ireland-dev-my_own_project-main_ig: Creation complete after 1s [id=igw-AAAAAAAAAA]
aws_route_table.ireland-dev-my_own_project-main_route_table: Creating...
aws_security_group.sg_local: Creation complete after 1s [id=sg-AAAAA]
aws_security_group_rule.sg-local-ssh-cs_home: Creating...
aws_security_group.sg_bastion: Creation complete after 1s [id=sg-AAAAAA]
aws_instance.bastion: Creating...
aws_route_table.ireland-dev-my_own_project-main_route_table: Creation complete after 1s [id=rtb-AAAAAAAA]
aws_route_table_association.ireland-dev-my_own_project-route_pub1a: Creating...
aws_security_group_rule.sg-local-ssh-cs_home: Creation complete after 1s [id=sgrule-AAAAA]
aws_route_table_association.ireland-dev-my_own_project-route_pub1a: Creation complete after 0s [id=rtbassoc-AAAA]

Error: Error launching source instance: InvalidParameter: Security group sg-AAAAAAAAAAAAA and subnet subnet-AA belong to different networks.
        status code: 400, request id: 6AAAAAA-AA-AAAA-AAAA-AAAAAAA

  on main.tf line 135, in resource "aws_instance" "bastion":
 135: resource "aws_instance" "bastion" {

Answer 1

Вы должны указать подсеть, в которой вы хотите создать экземпляр, а не зону доступности.

Поскольку вы указали availability_zone, а не subnet_id, Terraform попыталась поместить экземпляр в подсеть, соответствующую этому AZ в VPC по умолчанию, а не в VPC, в который вы пытаетесь его поместить.

К сожалению, это проблема, связанная с тем фактом, что API EC2 допускает учетные записи EC2 Classic (pre VPC) с VPC по умолчанию для каждого региона, обрабатывающего случай по умолчанию, когда подсети не указаны.