Fix issue with Network interfaces and an instance-level security groups

[catsby]

This should fix #1188, pending current acceptance tests and a new one to account for the issue there.

The configuration I tested:

provider "aws" {
  region="us-west-2"
}

resource "aws_vpc" "foo" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_security_group" "tf_test_foo" {
  name = "tf_test_foo"
  description = "foo"
  vpc_id="${aws_vpc.foo.id}"

  ingress {
    protocol = "icmp"
    from_port = -1
    to_port = -1
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_subnet" "foo" {
  cidr_block = "10.1.1.0/24"
  vpc_id = "${aws_vpc.foo.id}"
}

resource "aws_instance" "nat" {
  ami = "ami-21f78e11"
  instance_type = "t1.micro"
  security_groups = ["${aws_security_group.tf_test_foo.id}"]
  subnet_id = "${aws_subnet.foo.id}"
  associate_public_ip_address = true
  source_dest_check = false
  tags {
    Name = "testing-vpc-subnet-things"
  }
}

[catsby]

cc @phinze

[jaxxstorm]

I think you need to associate an elasticip as well:

resource "aws_eip" "nat" {
  instance = "${aws_instance.nat.id}"
  vpc = true
}

That was part of my config. It might not be relevant to the bug, but I know some of the stuff with API issue I read mentioned associating elasticips in there. Definitely worth sanity checking I think.

[mitchellh]

LGTM. It is good we're finding these instance issues, thanks @jaxxstorm :)

[catsby]

@jaxxstorm k, trying that. Do you also have an internet gateway? I'm having issues there...

[jaxxstorm]

yep, I sure do:

resource "aws_internet_gateway" "gw" {
  vpc_id = "${var.vpc_id}"

  tags {
    Name = "${concat(var.vpc_name,"-gateway")}"
  }
}

[kendawg2]

@jaxxstorm I have this and it works:

resource "aws_internet_gateway" "gw" {
vpc_id = "${aws_vpc.prod.id}"

tags {
    Name = "${var.environment}-Internet Gateway"
}

}

Not really any different except I am not using concat() which really isn't needed for that anymore.

[catsby]

Updated the config example:

provider "aws" {
  region="us-west-2"
}

resource "aws_internet_gateway" "gw" {
    vpc_id = "${aws_vpc.foo.id}"
    tags {
        Name = "main"
    }
}

resource "aws_vpc" "foo" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_security_group" "tf_test_foo" {
  name = "tf_test_foo"
  description = "foo"
  vpc_id="${aws_vpc.foo.id}"

  ingress {
    protocol = "icmp"
    from_port = -1
    to_port = -1
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_subnet" "foo" {
  cidr_block = "10.1.1.0/24"
  vpc_id = "${aws_vpc.foo.id}"
}

resource "aws_instance" "nat" {
  ami = "ami-21f78e11"
  instance_type = "t1.micro"
  security_groups = ["${aws_security_group.tf_test_foo.id}"]
  subnet_id = "${aws_subnet.foo.id}"
  associate_public_ip_address = true
  source_dest_check = false
  tags {
    Name = "testing-vpc-subnet-things"
  }
}

resource "aws_eip" "nat" {
  instance = "${aws_instance.nat.id}"
  vpc = true
}

Things seem to work as expected. I'm going to make an acceptance test then get this merged!

[phinze]

LGTM

[phinze]

(Actually we're debugging an issue with the destroys in the test... stand by...)

[phinze]

Ok, two things: (1) remove this dependency

[phinze]

Logic for new dependency suggestions:

• Internet Gateway must be present for instance with public IP address to launch in a VPC, and that instance must be gone by the time the IGW is deleted
• Internet Gateway must be present for EIP to be attached in a VPC, and that EIP must be detached before IGW is deleted

[catsby]

@phinze I think we're good here now, yeah?

[phinze]

@catsby Yep this is good to go.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.