Can't connect to Terraform-created instance with Private Key, but CAN connect when I create instance in Console

Question

I've created the following key pair and EC2 instance using Terraform. I'll leave the SG config out of it, but it allows SSH from the internet.

When I try to SSH into this instance I get the errors "Server Refused our Key" and "No supported authentication methods available (server sent: publickey).

However I am able to login when I create a separate EC2 instance in the console and assign it the same key pair assigned in the TF script.

Has anyone seen this behavior? What causes it?

# Create   Dev VPC
resource "aws_vpc" "dev_vpc" {
  cidr_block       = "10.0.0.0/16"
  instance_tenancy = "default"
  enable_dns_hostnames = "true"

  tags = {
    Name = "dev"
  }
}

# Create an Internet Gateway Resource
resource "aws_internet_gateway" "igw" {
  vpc_id = aws_vpc.dev_vpc.id

  tags = {
    Name = "dev-engineering-igw"
  }
}

# Create a Route Table
resource "aws_route_table" " _dev_public_routes" {
  vpc_id = aws_vpc. _dev.id
  tags = {
    name = " _dev_public_routes"
  }
}

# Create a Route
resource "aws_route" " _dev_internet_access" {
  route_table_id = aws_route_table. _dev_public_routes.id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id = aws_internet_gateway.igw.id
}

# Associate the Route Table to our Public Subnet
resource "aws_route_table_association" " _dev_public_subnet_assoc" {
  subnet_id = aws_subnet. _dev_public.id
  route_table_id = aws_route_table. _dev_public_routes.id
}

# Create public subnet for hosting customer-facing Django app
resource "aws_subnet" " _dev_public" {
  vpc_id            = aws_vpc. _dev.id
  cidr_block        = "10.0.0.0/17"
  availability_zone = "us-west-2a"

  tags = {
    Env = "dev"
  }
}

resource "aws_security_group" "allow_https" {
  name        = "allow_https"
  description = "Allow http and https inbound traffic"
  vpc_id      = aws_vpc. _dev.id

  ingress {
    description      = "HTTP and HTTPS into VPC"
    from_port        = 80
    to_port          = 80
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
  }

  ingress {
    description      = "HTTP and HTTPS into VPC"
    from_port        = 443
    to_port          = 443
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
  }

  ingress {
    description      = "SSH"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
  }

    egress {
    description      = "HTTP and HTTPS out of VPC for Session Manager"
    from_port        = 443
    to_port          = 443
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
  }

  tags = {
    Name = "allow_https"
  }
}

resource "aws_instance" "web" {
  ami           = data.aws_ami.ubuntu20.id
  instance_type = "t3.micro"
  subnet_id = aws_subnet. _dev_public.id
  associate_public_ip_address = "true"
  vpc_security_group_ids = ["${aws_security_group.allow_https.id}"]
  key_name = "key_name"


  metadata_options { #Enabling IMDSv2
    http_endpoint = "disabled"
    http_tokens = "required"
  }

  tags = {
    Env = "dev"
  }
}

Answer 1

As specified in the comments, removing the metadata_options from the instance resource resolves the issue.

The fix is to update the metadata_options to be:

  metadata_options { #Enabling IMDSv2
    http_endpoint = "enabled"
    http_tokens = "required"
  }

Looking at the Terraform documentation for metadata_options shows that:

• http_endpoint = "disabled" means that the metadata service is unavailable.
• http_tokens = "required" means that the metadata service requires session tokens (ie IMDSv2).

This is an invalid configuration, as specified in the AWS docs:

You can opt in to require that IMDSv2 is used when requesting instance metadata. Use the modify-instance-metadata-options CLI command and set the http-tokens parameter to required. When you specify a value for http-tokens, you must also set http-endpoint to enabled.