creating aws_instance - timeout i/o (no security group is attached when remote provisioner is run)

oerp-odoo commented 6 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.8

provider.aws v1.33.0

Affected Resource(s)

aws_instance
aws_eip_association
aws_network_interface_sg_attachment

Terraform Configuration Files

# Provider data.
provider "aws" {
  access_key = "${var.access_key}"
  secret_key = "${var.secret_key}"
  region     = "${var.region}"
}

# Resources for ec2 instance.
resource "aws_instance" "staging-ec2" {
  ami           = "ami-1"
  instance_type = "t2.micro"

  provisioner "file" {
    source      = "/path/to/update-odoo-cfg.py"
    destination = "/tmp/update-odoo-cfg.py"
    connection {
      type        = "ssh"
      user        = "ubuntu"
      private_key = "${file("/path/to.pem")}"
    }
  }
  provisioner "remote-exec" {

    connection {
      type        = "ssh"
      user        = "ubuntu"
      private_key = "${file("/path/to.pem")}"
    }

    inline = [
      "python3 /tmp/update-odoo-cfg.py ${aws_db_instance.staging-rds.address} --cfg-path=/etc/odoo11.conf",
      "sudo systemctl restart odoo11.service"
    ]
  }

resource "aws_eip_association" "staging-eip-assoc" {
  instance_id   = "${aws_instance.staging-ec2.id}"
  allocation_id = "eipalloc-1"
}

resource "aws_network_interface_sg_attachment" "ec2-sg_attachment" {
  # Group for staging.
  security_group_id    = "sg-1"
  network_interface_id = "${aws_instance.staging-ec2.primary_network_interface_id}"
}

}
# Resources for db instance.
data "aws_db_snapshot" "latest_prod_snapshot" {
  db_instance_identifier = "dbinstance-eu-central-1"
  most_recent = true
}

# Use the latest production snapshot to create a dev instance.
resource "aws_db_instance" "staging-rds" {
  instance_class         = "db.t2.micro"
  storage_type           = "gp2"
  identifier             = "dbinstance-staging-eu-central-1"
  snapshot_identifier    = "${data.aws_db_snapshot.latest_prod_snapshot.id}"
  vpc_security_group_ids = ["sg-2"]
  lifecycle {
    ignore_changes = ["snapshot_identifier"]
  }
}

# Output variables.
output "ip" {
  value = "${aws_instance.staging-ec2.public_ip}"
}
output "rds-endpoint" {
  value = "${aws_db_instance.staging-rds.address}"
}

Debug Output

Panic Output

Expected Behavior

Should create EC2 instance, associate EIP and associate security group.

Actual Behavior

aws_instance.staging-ec2: Still creating... (4m30s elapsed)
aws_instance.staging-ec2: Still creating... (4m40s elapsed)
aws_instance.staging-ec2: Still creating... (4m50s elapsed)
aws_instance.staging-ec2: Still creating... (5m0s elapsed)
aws_instance.staging-ec2: Still creating... (5m10s elapsed)
aws_instance.staging-ec2: Still creating... (5m20s elapsed)

Error: Error applying plan:

1 error(s) occurred:

* aws_instance.staging-ec2: timeout - last error: dial tcp 52.29.93.120:22: i/o timeout

Steps to Reproduce

terraform apply

Important Factoids

It seems there is already similar issue created last year (look at references). Is there a workaround at least then?.. Cause I don't know now how to run provisioner file and provisioner remote-exec when terraform tries to apply those commands before actually setting security group and elastic IP.

References

Looks like this issue is similar to mine, though I do get a bit different error: https://github.com/terraform-providers/terraform-provider-aws/issues/1712

0000

oerp-odoo commented 6 years ago

As workaround it is possible to use vpc_security_group_ids inside aws_instance resource. This way it does assign group before trying to run remote-exec.

bflad commented 6 years ago

Hi again, @oerp-odoo 👋

Using vpc_security_group_ids is not a workaround, but a requirement if you're looking to assign a VPC security group when creating an EC2 instance. As it looks like you discovered, this should properly setup security group access before provisioners run against the EC2 instance.

Above though you are mentioning that you are trying to get provisioners working through an EIP as well. This process is more complicated, but has to be generally achieved with the provisioners being on the EIP resource or a separate null_resource. The documentation page there gives an example directly with aws_instance that you would need to adjust to point to something like the aws_eip_association resource instead. Hopefully this gets you started.

Please note: We use GitHub issues in this repository for tracking AWS provider bugs and enhancements rather than for questions. While we may be able to help with some simple problems here it's generally better to use one of the community forums where there are far more people ready to help; the GitHub issues here are generally monitored only by our few maintainers who are generally only working on provider bugs or enhancements. Given this, I'm going to close this issue out, but please let us know if there is some bug with any of the AWS resources. 👍

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashicorp / terraform-provider-aws