terraform-provider-aws: Error updating Autoscaling group: InvalidQueryParameter: Invalid launch template: When a network interface is provided, the security groups must be a part of it.
Community Note
- Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v0.11.7
- provider.aws v1.19.0
Affected Resource(s)
aws_autoscaling_group aws_launch_template
Terraform Configuration Files
# Launch template for nodes.
resource "aws_launch_template" "nodes" {
name = "nodes"
block_device_mappings {
device_name = "/dev/sda1"
ebs {
volume_size = 32
volume_type = "gp2"
}
}
credit_specification {
cpu_credits = "unlimited"
}
disable_api_termination = true
ebs_optimized = true
iam_instance_profile {
name = "${aws_iam_instance_profile.nodes.id}"
}
# Currently Fedora 28
image_id = "ami-e754e298"
instance_initiated_shutdown_behavior = "terminate"
instance_type = "${terraform.env == "prod" ? "t2.xlarge" : "t2.large"}"
key_name = "ansible"
monitoring {
enabled = true
}
network_interfaces {
device_index = 0
associate_public_ip_address = true
security_groups = ["${aws_security_group.openshift.id}"]
}
placement {
availability_zone = "us-east-1a"
}
vpc_security_group_ids = ["${aws_security_group.openshift.id}"]
tag_specifications {
tags {
Name = "node"
}
}
}
resource "aws_autoscaling_group" "nodes" {
name = "OpenShift Nodes"
launch_template = {
id = "${aws_launch_template.nodes.id}"
version = "$$Latest"
}
min_size = "${terraform.env == "prod" ? "3" : "3"}"
max_size = "${terraform.env == "prod" ? "3" : "3"}"
force_delete = 1
availability_zones = ["us-east-1a"]
tag {
key = "Name"
value = "node"
propagate_at_launch = true
}
}
Debug Output
* aws_autoscaling_group.nodes: 1 error(s) occurred:
* aws_autoscaling_group.nodes: Error updating Autoscaling group: InvalidQueryParameter: Invalid launch template: When a network interface is provided, the security groups must be a part of it.
status code: 400, request id: 7a98dd3b-59f8-11e8-b39f-cdb9cee0f1ee
Important Factoids
It seems like the SGs are getting into the template, but I’m not sure why the ASG is complaining about the LT.
This is updating an ASG that previously had an LC.
References
https://github.com/terraform-providers/terraform-provider-aws/pull/4364
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 68
- Comments: 21
Commits related to this issue
- remove vpc_security_group_ids as per github.com/terraform-providers/terraform-provider-aws/issues/4570 — committed to smaldon-bjss/terraform-aws-ecs-cluster by smaldon-bjss 4 years ago
- Try resolution presented in hashicorp/terraform-provider-aws/issues/4570 — committed to emmeowzing/astronautcount by deleted user 3 years ago
I encountered same problem and commenting out
vpc_security_group_idsworked for me:@afalko Sorry, i think my comment was incomplete. Yes i deleted the environment and recreated but using terraform, no manual operations. But after doing it again today, i still get the error, so either specifying SGs or removing
network_interfacesworks. I can afford removing it that since i only wanted to disable public ip for the instance, which obviously is disabled by default for instances not within default VPC. Anyhow, I think i missed this from aws documentation:The problem is, this is misleading since in terraform documentation, the example shows the usage of
network_interfacesthis way:But this does not work (at least did not work for me) and terraform complains about security groups that need to be added, even though no network interface was mentioned in that block. I hope someone takes a look at this and provides some insight for us.
Update: Ok this is how i solved this for me. I kept the
vpc_security_group_idsin place and removedsecurity_groupsfromnetwork_interfaces. Then updated the ASG configuration:The issue for me was that this was using the default version of the Launch Template instead of the latest one (as version increases automatically in aws even if you don’t specify it).
That’s not a bug/issue, but intended behavior by AWS: https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-launch-template.html
And confirmed by AWS (from my support ticket):
So in case setting network interface you just need to provide SG on the interface level and remove
vpc_security_group_idsfrom the resourceI reproduced this without terraform so I think this is an AWS issue, but this is interesting:
Now, go back and edit the launch template.
So I removed vpc_security_group_ids and now I get https://github.com/terraform-providers/terraform-provider-aws/issues/4553
I was also able to get around this by removing
vpc_security_group_idsfrom theaws_launch_templateand adding them instead in thenetwork_interfacesblock. I also had to include the subnet in thevpc_zone_identifierlist in theaws_autoscaling_groupand I used the${aws_launch_template.nodes.latest_version}format.To provide what seems to be a working example of the necessary parts:
I think this comes from a limitation in the EC2 API where instance security groups aren’t compatible with network interfaces with public IP addresses (only the network interface will have a security group), but the vague error message makes me unsure.
I tried doing what @Yashiroo did, but I still get there error. Did you clear terraform and manually delete the resources?
This worked for me, but only after I attempted Yashiroo’s workaround: