Eson
Reputation: 1
Can't connect to my server/instance with my Terraform Code for AWS Firewall Project
I am new in learning Terraform and currently creating a project. The architecture I'm trying to implement is this.
resource "aws_vpc" "InspectionVPC" {
cidr_block = "10.1.0.0/16"
instance_tenancy = "default"
enable_dns_hostnames = "true"
enable_dns_support = "true"
tags = {
Name = "FW Inspection VPC"
}
}
resource "aws_subnet" "FirewallSubnet" {
vpc_id = aws_vpc.InspectionVPC.id
cidr_block = "10.1.1.0/28"
map_public_ip_on_launch = true
availability_zone = "us-east-1a"
tags = {
Name = "Firewall Subnet"
}
}
resource "aws_subnet" "ProtectedWebServerSubnet" {
vpc_id = aws_vpc.InspectionVPC.id
cidr_block = "10.1.3.0/28"
availability_zone = "us-east-1a"
tags = {
Name = "Protected WebServer Subnet"
}
}
resource "aws_internet_gateway" "InspectionVPCInternetGateway" {
vpc_id = aws_vpc.InspectionVPC.id
tags = {
Name = "Inspection VPC IGW"
}
}
resource "aws_route_table" "FirewallRouteTable" {
vpc_id = aws_vpc.InspectionVPC.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.InspectionVPCInternetGateway.id
}
tags = {
Name = "Firewall Route Table"
}
}
resource "aws_route_table_association" "FirewallRouteTableAssociation" {
subnet_id = aws_subnet.FirewallSubnet.id
route_table_id = aws_route_table.FirewallRouteTable.id
}
resource "aws_security_group" "allow_httpssh" {
name = "allow_httpssh_traffic"
description = "Allow http & ssh inbound traffic"
vpc_id = aws_vpc.InspectionVPC.id
ingress {
description = "HTTP"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["180.191.165.6/32"]
}
ingress {
description = "SSH"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["180.191.165.6/32"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "Allow HTTP & SSH traffic"
}
}
resource "aws_network_interface" "web-server-nic" {
subnet_id = aws_subnet.ProtectedWebServerSubnet.id
private_ips = ["10.1.3.4"]
security_groups = [aws_security_group.allow_httpssh.id]
}
resource "aws_eip" "ec2_eip" {
instance = aws_instance.WebServer.id
vpc = true
network_interface = aws_network_interface.web-server-nic.id
associate_with_private_ip = "10.1.3.4"
depends_on = [aws_internet_gateway.InspectionVPCInternetGateway]
}
resource "aws_instance" "WebServer" {
ami = "ami-0f844a9675b22ea32"
instance_type = "t2.micro"
availability_zone = "us-east-1a"
key_name = "Project-Key-Pair"
network_interface {
device_index = 0
network_interface_id = aws_network_interface.web-server-nic.id
}
user_data = <<-EOF
#!/bin/bash
sudo amazon-linux-extras install nginx1 -y
sudo systemctl enable nginx
sudo systemctl start nginx
EOF
tags = {
Name = "Test Workload"
}
}
output "WebServer_Public_IP" {
value = aws_eip.ec2_eip.public_ip
}
Followed exactly the steps on this link: Hands-on Network Firewall Workshop from Lab One: Protected VPC with Public Workload > Create firewall > Create route tables to add the routing to and from firewall, IGW and Protected subnet via AWS Management Console.
However, I really can't connect to the EC2 Instance Connect or PuTTY SSH client (Connection timeout error) with my key pair. I even created an SSM Instance Profile with the below permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
But still the same. I'm thinking the problem is related with my security group or EC2 instance. So after running the code, I created separate security group and ec2 instance allowing any IPv4 addresses to connect for all traffic. However, the same issue persists. Anyone knows what wrong with my IaC?
Upvotes: 0
Views: 104
Answers (1)
paulg
Reputation: 738
In your AWS EC2 Instance Resource, I don't see the security group attached anywhere which is your EC2 Instance's Firewall.
resource "aws_instance" "WebServer" {
ami = "ami-0f844a9675b22ea32"
instance_type = "t2.micro"
availability_zone = "us-east-1a"
key_name = "Project-Key-Pair"
network_interface {
device_index = 0
network_interface_id = aws_network_interface.web-server-nic.id
}
user_data = <<-EOF
#!/bin/bash
sudo amazon-linux-extras install nginx1 -y
sudo systemctl enable nginx
sudo systemctl start nginx
EOF
tags = {
Name = "Test Workload"
}
# attach security group:
vpc_security_group_ids = [aws_security_group.allow_httpssh.id]
}
Upvotes: 0
Related Questions
- Unable to connect to AWS EC2 instance via http and https
- aws ec2 ssh error: `ssh: connect to host x port 22: Operation timed out`
- Can't establish internet connection to my EC2 instance [deployed with terraform and 80 http port opened for ACL, Security Group, Internet GW]
- I can't SSH onto EC2 instance created using Terraform
- EC2 instance with EIP in Public subnet not connecting to Internet
- Error in Custom VPC