Terraform EC2 网络中断 [英] Terraform EC2 networking broken

问题描述

我正在使用 Terraform 0.12.26，我想构建一个 AWS Ubuntu 机器实例.

I'm using Terraform 0.12.26 and I want to build an AWS Ubuntu machine instance.

当我运行 terraform apply 时，一切看起来都正常……但我无法通过 ssh 连接到新的 EC2 机器.我的家庭防火墙允许在任何地方使用 ssh，并且我可以通过 ssh 访问任何其他互联网资源.

When I run terraform apply, everything looks right... but I can't ssh to the new EC2 machine. My home firewall allows ssh everywhere, and I can ssh to any other internet resources.

如果我在同一区域/az 中手动安装 EC2 实例，ssh 可以正常工作...这个问题似乎仅限于 Terraform.

If I manually install an EC2 instance in the same region / az, ssh works fine... this problem seems to be limited to Terraform.

$ terraform apply
...
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_key_pair.mykeypair: Creating...
aws_vpc.main: Creating...
aws_key_pair.mykeypair: Creation complete after 2s [id=mykeypair-pub]
aws_vpc.main: Still creating... [10s elapsed]
aws_vpc.main: Creation complete after 14s [id=vpc-0396212cf58236e68]
aws_subnet.first_subnet: Creating...
aws_security_group.ingress-policy-example: Creating...
aws_subnet.first_subnet: Creation complete after 10s [id=subnet-0558eb0d5c2a4cb3e]
aws_security_group.ingress-policy-example: Still creating... [10s elapsed]
aws_security_group.ingress-policy-example: Creation complete after 13s [id=sg-080e7fa96dc485107]
aws_instance.example: Creating...
aws_instance.example: Still creating... [10s elapsed]
aws_instance.example: Still creating... [20s elapsed]
aws_instance.example: Creation complete after 25s [id=i-0aaf3c53023c1226f]

Apply complete! Resources: 5 added, 0 changed, 0 destroyed.

Outputs:

ip = 34.217.88.173

$ telnet 34.217.88.173 22
Trying 34.217.88.173...
telnet: Unable to connect to remote host: Resource temporarily unavailable
$

这是我的 terraform 代码:​​

This is my terraform code:

$ cat main.tf
provider "aws" {
  region     = var.region
  access_key = "SECRET_ACCESS_KEY_HERE"
  secret_key = "SECRET_KEY_HERE"

  # Allow any 2.x version of the AWS provider
  version = "~> 2.0"
}

variable region {
  default = "us-west-2"
}

variable availability_zone_01 {
  default = "us-west-2a"
}

variable key_path {
    default = "~/.ssh/id_rsa.pub"
}

variable site_supernet {
    default = "10.0.0.0/16"
}

variable first_subnet {
    default = "10.0.1.0/24"
}

resource "aws_vpc" "main" {
  cidr_block           = var.site_supernet
  enable_dns_hostnames = true
  enable_dns_support   = true
  instance_tenancy     = "default"

  tags = {
    Name = "tag-primary-vpc"
  }
}

resource "aws_subnet" "first_subnet" {
  vpc_id                  = aws_vpc.main.id
  cidr_block              = var.first_subnet
  availability_zone       = var.availability_zone_01
  map_public_ip_on_launch = true

  tags = {
    Name = "tag-first_subnet"
  }
}

resource "aws_security_group" "ingress-policy-example" {
  vpc_id        = aws_vpc.main.id
  ingress {
    cidr_blocks = ["0.0.0.0/0",]
    from_port   = 22  # Port from 22 to 22...
    to_port     = 22
    protocol    = "tcp"
  }

  ## This egress rule was missing from my original question...
  egress {
    # Terraform doesn't allow all egress traffic by default...
    cidr_blocks = ["0.0.0.0/0"]
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
  }

  tags = {
    Name = "tag-sg-allow-ssh"
  }
}

resource "aws_key_pair" "mykeypair" {
  key_name   = "mykeypair-pub"
  public_key = file(var.key_path)
}

resource "aws_instance" "example" {
  #ami           = "ami-0994c095691a46fb5"
  ami           = "ami-003634241a8fcdec0"
  instance_type = "t2.nano"
  key_name      = aws_key_pair.mykeypair.key_name

  subnet_id                   = aws_subnet.first_subnet.id
  vpc_security_group_ids      = [
    aws_security_group.ingress-policy-example.id,
  ]
  associate_public_ip_address = true

  root_block_device {
    delete_on_termination = false
  }

  user_data = <<-EOF
              #!/bin/bash
              apt-get update
              apt-get install openssh-server
              EOF

  tags = {
    Name = "stackoverflow_20200619"
  }
}

output "ip" {
  value = aws_instance.example.public_ip
}

问题:如何修复这个 terraform 部署，以便可以通过 ssh 连接到上面的服务器?

QUESTION: How can I fix this terraform deployment so I can ssh to the server above?

我的尝试:

• 使用密钥 auth 手动构建 Ubuntu 映像；这很好用，我可以通过 ssh 访问它
• 移除 terraform 安全组；没有帮助
• 更改了 AWS terraform 区域/可用区；没有帮助
• 删除user_data包安装；没有帮助
• 删除 aws_subnet；没有帮助
• 删除instance_tenancy；没有帮助
• 用另一个 ssh 密钥替换 ssh 密钥；没有帮助
• 用静态用户名/密码替换 ssh 密钥；没有帮助
• 使用 PuTTY(而不是 linux 和 openssh)从 Windows 进行 SSH；没有帮助

• Manually building an Ubuntu image using key auth; this works fine and I can ssh to it
• Removing the terraform security group; does not help
• Changed AWS terraform regions / availability zones; does not help
• Removing user_data package installation; does not help
• Removing the aws_subnet; does not help
• Removing instance_tenancy; does not help
• Replace ssh key with another ssh key; does not help
• Replace ssh key with static username / password; does not help
• SSH from Windows with PuTTY (instead of linux & openssh); does not help

推荐答案

您的 VPC 没有 Internet 网关 (IGW).您需要创建它并为其添加一个路由表条目.

Your VPC has no Internet Gateway (IGW). You'll need to create that and add a route table entry for it.

添加这些资源应该可以工作(在我的手机上写了这个，所以你的里程可能会有所不同):

Adding these resources should work (wrote this on my phone so your mileage may vary):

resource "aws_internet_gateway" "igw" {
  vpc_id = aws_vpc.main.id

  tags = {
    Name = "main"
  }
}

resource "aws_route" "r" {
  route_table_id            = aws_route_table.rt
  destination_cidr_block    = "0.0.0.0/0"
  gateway_id = aws_internet_gateway.igw.id
}

resource "aws_route_table" "rt" {
  vpc_id = aws_vpc.main.id
}

resource "aws_route_table_association" "rta" {
  subnet_id      = aws_subnet.first_subnet.id
  route_table_id = aws_route_table.rt.id
}

这篇关于Terraform EC2 网络中断的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！