"Error authorizing security group egress rules: InvalidParameterValue: Only Amazon VPC security groups may be used with this operation" and "Security group(s) can be applied to only an ELB in VPC".

589 views
Skip to first unread message

Gary Yang

unread,
Apr 11, 2018, 11:53:14 AM4/11/18
to terrafo...@googlegroups.com

Hi,


I am creating a cluster web servers. I got two errors. 


"Error authorizing security group egress rules: InvalidParameterValue: Only Amazon VPC security groups may be used with this operation" and "Security group(s) can be applied to only an ELB in VPC". 



Here are the errors and source. Can anyone help?



Errors:


Errors related to security group egress rules:


aws_launch_configuration.example: Creation complete after 2s (ID: terraform-20180410215736754200000001)


Error: Error applying plan:


1 error(s) occurred:


* aws_security_group.elb: 1 error(s) occurred:


* aws_security_group.elb: Error authorizing security group egress rules: InvalidParameterValue: Only Amazon VPC security groups may be used with this operation.

status code: 400, request id: 597a8900-e358-460f-8e25-4f8817c5c1a6



Here are the source code:


cat main.tf 

provider "aws" {

  region = "us-east-1"

}


resource "aws_autoscaling_group" "example" {

  launch_configuration = "${aws_launch_configuration.example.id}"

  availability_zones = ["us-east-1a","us-east-1b","us-east-1c","us-east-1d"]


  min_size = 2

  max_size = 10


  load_balancers = ["${aws_elb.example.name}"]

  health_check_type = "ELB"


  tag {

    key = "Name"

    value = "terraform-asg-example"

    propagate_at_launch = true

  }

}


resource "aws_launch_configuration" "example" {

  # Ubuntu Server 14.04 LTS (HVM), SSD Volume Type in us-east-1

  image_id = "ami-2d39803a"

  instance_type = "t2.micro"

  security_groups = ["${aws_security_group.instance.id}"]


  user_data = <<-EOF

              #!/bin/bash

              echo "Hello, World" > index.html

              nohup busybox httpd -f -p "${var.server_port}" &

              EOF


  lifecycle {

    create_before_destroy = true

  }

}


resource "aws_security_group" "instance" {

  name = "terraform-example-instance"


  # Inbound HTTP from anywhere

  ingress {

    from_port = "${var.server_port}"

    to_port = "${var.server_port}"

    protocol = "tcp"

    cidr_blocks = ["0.0.0.0/0"]

  }


  lifecycle {

    create_before_destroy = true

  }

}


resource "aws_elb" "example" {

  name = "terraform-asg-example"

  security_groups = ["${aws_security_group.elb.id}"]

  availability_zones = ["us-east-1a","us-east-1b","us-east-1c","us-east-1d"]


  health_check {

    healthy_threshold = 2

    unhealthy_threshold = 2

    timeout = 3

    interval = 30

    target = "HTTP:${var.server_port}/"

  }


  # This adds a listener for incoming HTTP requests.

  listener {

    lb_port = 80

    lb_protocol = "http"

    instance_port = "${var.server_port}"

    instance_protocol = "http"

  }

}


resource "aws_security_group" "elb" {

  name = "terraform-example-elb"


  # Allow all outbound

  egress {

    from_port = 0

    to_port = 0

    protocol = "-1"

    cidr_blocks = ["0.0.0.0/0"]

  }


  # Inbound HTTP from anywhere

  ingress {

    from_port = 80

    to_port = 80

    protocol = "tcp"

    cidr_blocks = ["0.0.0.0/0"]

  }

}


cat vars.tf


variable "server_port" {

  description = "The port the server will use for HTTP requests"

  default = 8080

}



cat outputs.tf


output "elb_dns_name" {

  value = "${aws_elb.example.dns_name}"

}


Added vpc_id to resource "aws_security_group" "elb" {}, I got, "Security group(s) can be applied to only an ELB in VPC". 


Error: Error applying plan:


1 error(s) occurred:


* aws_elb.example: 1 error(s) occurred:


* aws_elb.example: InvalidConfigurationRequest: Security group(s) can be applied to only an ELB in VPC.

status code: 409, request id: 8ed46978-3d0b-11e8-b99a-a3ef9c006301





resource "aws_security_group" "elb" {

  name = "terraform-example-elb"

  vpc_id = "My-vpc-ID"


  # Allow all outbound

  egress {

    from_port = 0

    to_port = 0

    protocol = "-1"

    cidr_blocks = ["0.0.0.0/0"]

  }


  # Inbound HTTP from anywhere

  ingress {

    from_port = 80

    to_port = 80

    protocol = "tcp"

    cidr_blocks = ["0.0.0.0/0"]

  }

}



Clint Shryock

unread,
Apr 12, 2018, 4:37:31 PM4/12/18
to terrafo...@googlegroups.com
For ELBs:

>Exactly one of availability_zones or subnets must be specified: this determines if the ELB exists in a VPC or in EC2-classic.

From https://www.terraform.io/docs/providers/aws/r/elb.html

If you're specifying `availability_zones`, then your ELB is being created in EC2-Classic.

Cheers,
Clint

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAHMk6OFMs1SHCRsXs5X8nHMDF22i-rGyWVNzG_pop8_N7pHO-w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Gary Yang

unread,
Apr 19, 2018, 12:53:16 AM4/19/18
to terrafo...@googlegroups.com, cl...@hashicorp.com
Hi Clint,

I read the your link. But, I do not understand. Can you please be a bit more specific? 

I got three different errors. I placed vpc_id in resource "aws_security_group" "elb" {} and resource "aws_security_group" "instance" {}

resource "aws_security_group" "elb" {

  name = "terraform-example-elb"

  vpc_id = "vpc-my-id"

  ......

}


resource "aws_security_group" "instance" {

  name = "terraform-example-instance"

  vpc_id = "vpc-my-id"

    ......
}

I got "security group already exists" error:


* aws_security_group.elb: 1 error(s) occurred:


* aws_security_group.elb: Error creating Security Group: InvalidGroup.Duplicate: The security group 'terraform-example-elb' already exists for VPC 'vpc-24b12f5f'

status code: 400, request id: 1a7208d9-31c1-4fde-a932-646294f2d333



Here are source code:

provider "aws" {

  region = "us-east-1"

}


data "aws_availability_zones" "all" {}


resource "aws_autoscaling_group" "example" {

  launch_configuration = "${aws_launch_configuration.example.id}"

  availability_zones = ["${data.aws_availability_zones.all.names}"]


  min_size = 2

  max_size = 10


  load_balancers = ["${aws_elb.example.name}"]

  health_check_type = "ELB"


  tag {

    key = "Name"

    value = "terraform-asg-example"

    propagate_at_launch = true

  }

}


resource "aws_launch_configuration" "example" {

  image_id = "ami-2d39803a"

  instance_type = "t2.micro"

  security_groups = ["${aws_security_group.instance.id}"]


  user_data = <<-EOF

              #!/bin/bash

              echo "Hello, World" > index.html

              nohup busybox httpd -f -p "${var.server_port}" &

              EOF


  lifecycle {

    create_before_destroy = true

  }

}


resource "aws_security_group" "instance" {

  name = "terraform-example-instance"

  vpc_id = "vpc-24b12f5f"


  ingress {

    from_port = "${var.server_port}"

    to_port = "${var.server_port}"

    protocol = "tcp"

    cidr_blocks = ["0.0.0.0/0"]

  }


  lifecycle {

    create_before_destroy = true

  }

}


resource "aws_elb" "example" {

  name = "terraform-asg-example"

  security_groups = ["${aws_security_group.elb.id}"]

  availability_zones = ["${data.aws_availability_zones.all.names}"]


  health_check {

    healthy_threshold = 2

    unhealthy_threshold = 2

    timeout = 3

    interval = 30

    target = "HTTP:${var.server_port}/"

  }


  listener {

    lb_port = 80

    lb_protocol = "http"

    instance_port = "${var.server_port}"

    instance_protocol = "http"

  }

}


resource "aws_security_group" "elb" {

  name = "terraform-example-elb"

  vpc_id = "vpc-24b12f5f"


  egress {

    from_port = 0

    to_port = 0

    protocol = "-1"

    cidr_blocks = ["0.0.0.0/0"]

  }


  ingress {

    from_port = 80

    to_port = 80

    protocol = "tcp"

    cidr_blocks = ["0.0.0.0/0"]

  }

}



I commented out vpc_id in resource "aws_security_group" "elb" {}. Then, I got "Only Amazon VPC security groups may be used with this operation". I have no idea what is wrong.

resource "aws_security_group" "elb" {

  name = "terraform-example-elb"

  #vpc_id = "vpc-my-id"

  ......

}



* aws_security_group.elb: 1 error(s) occurred:


* aws_security_group.elb: Error authorizing security group egress rules: InvalidParameterValue: Only Amazon VPC security groups may be used with this operation.

status code: 400, request id: e78a1dc8-c081-4b47-b9c5-6251d2ea1c4f




I placed subnet_id in resource "aws_launch_configuration" "example" {}. Then, I got, "

Error: aws_launch_configuration.example: : invalid or unknown key: subnet_id"



resource "aws_launch_configuration" "example" {

  # Ubuntu Server 14.04 LTS (HVM), SSD Volume Type in us-east-1

  image_id = "ami-2d39803a"

  instance_type = "t2.micro"

  security_groups = ["${aws_security_group.instance.id}"]

  subnet_id = "subnet-my-id"

    ......
}


Please help.


Clint Shryock

unread,
Apr 19, 2018, 5:49:40 PM4/19/18
to Gary Yang, terrafo...@googlegroups.com
By specifying `availability_zones` in your `aws_elb`, you are instructing Terraform to create that ELB in EC2 Classic. The AWS API for creating ELBs only offers `availability_zones` in EC2 Classic.
The `security_groups` attribute of `aws_elb` is only valid for ELBs created in a VPC. You cannot specify both when defining `aws_elb`. 

For `resource_aws_security_group`, `egress` rules are only allowed for security groups created in a VPC. Egress rules are not supported in EC2 Classic. 

Regarding the duplicate security group, I would inspect the console and look for it, it sounds like you do already have that name. 

I have not verified this example recently, but this may help:

https://github.com/terraform-providers/terraform-provider-aws/blob/master/examples/elb/main.tf

basically instead of availability zones you need to set subnets in your `aws_elb`

Cheers,
Clint

Gary Yang

unread,
Apr 19, 2018, 8:11:13 PM4/19/18
to Clint Shryock, terrafo...@googlegroups.com
Hi Clint,

Thank you for your reply.  I got, "

Error: aws_autoscaling_group.example: : invalid or unknown key: subnets" 


if I place subnets in resource "aws_autoscaling_group" "example" {}


 

resource "aws_autoscaling_group" "example" {

  launch_configuration = "${aws_launch_configuration.example.id}"

  subnets = ["${aws_subnet.tf_test_subnet.id}"]

  ......

}


if I commented out subnets in resource "aws_autoscaling_group" "example" {}, then I got,


* aws_autoscaling_group.example: Error creating AutoScaling Group: ValidationError: At least one Availability Zone or VPC Subnet is required.

status code: 400, request id: 04451d3e-442f-11e8-af40-e1aa71748b4c



Any idea?

Here are source code:


provider "aws" {

  region = "us-east-1"

}


resource "aws_subnet" "tf_test_subnet" {

  vpc_id                  = "${aws_vpc.default.id}"

  cidr_block              = "10.0.0.0/24"

  map_public_ip_on_launch = true


  tags {

    Name = "tf_test_subnet"

  }

}


resource "aws_vpc" "default" {

  cidr_block           = "10.0.0.0/16"

  enable_dns_hostnames = true


  tags {

    Name = "tf_test"

  }

}


resource "aws_internet_gateway" "gw" {

  vpc_id = "${aws_vpc.default.id}"


  tags {

    Name = "tf_test_ig"

  }

}


resource "aws_route_table" "r" {

  vpc_id = "${aws_vpc.default.id}"


  route {

    cidr_block = "0.0.0.0/0"

    gateway_id = "${aws_internet_gateway.gw.id}"

  }


  tags {

    Name = "aws_route_table"

  }

}


resource "aws_route_table_association" "a" {

  subnet_id      = "${aws_subnet.tf_test_subnet.id}"

  route_table_id = "${aws_route_table.r.id}"

}


resource "aws_autoscaling_group" "example" {

  launch_configuration = "${aws_launch_configuration.example.id}"

  #subnets = ["${aws_subnet.tf_test_subnet.id}"]


  min_size = 2

  max_size = 10


  load_balancers = ["${aws_elb.example.name}"]

  health_check_type = "ELB"


  tag {

    key = "Name"

    value = "terraform-asg-example"

    propagate_at_launch = true

  }

}


resource "aws_launch_configuration" "example" {

  image_id = "ami-2d39803a"

  instance_type = "t2.micro"

  security_groups = ["${aws_security_group.instance.id}"]


  user_data = <<-EOF

              #!/bin/bash

              echo "Hello, World" > index.html

              nohup busybox httpd -f -p "${var.server_port}" &

              EOF


  lifecycle {

    create_before_destroy = true

  }

}


resource "aws_security_group" "instance" {

  name = "terraform-example-instance"

  vpc_id      = "${aws_vpc.default.id}"


  ingress {

    from_port = "${var.server_port}"

    to_port = "${var.server_port}"

    protocol = "tcp"

    cidr_blocks = ["0.0.0.0/0"]

  }


  lifecycle {

    create_before_destroy = true

  }

}


resource "aws_elb" "example" {

  name = "terraform-asg-example"

  subnets = ["${aws_subnet.tf_test_subnet.id}"]


  security_groups = ["${aws_security_group.elb.id}"]


  health_check {

    healthy_threshold = 2

    unhealthy_threshold = 2

    timeout = 3

    interval = 30

    target = "HTTP:${var.server_port}/"

  }


  listener {

    lb_port = 80

    lb_protocol = "http"

    instance_port = "${var.server_port}"

    instance_protocol = "http"

  }

}


resource "aws_security_group" "elb" {

  name = "terraform-example-elb"

  vpc_id      = "${aws_vpc.default.id}"

Clint Shryock

unread,
Apr 20, 2018, 10:48:10 AM4/20/18
to Gary Yang, terrafo...@googlegroups.com
> Error: aws_autoscaling_group.example: : invalid or unknown key: subnets"

subnets are defined on the `aws_elb` resource, not the autoscaling group.

Please refer to the example I've given:

- https://github.com/terraform-providers/terraform-provider-aws/blob/master/examples/elb/main.tf

This example demonstrates creating a VPC, elb, security groups, et. al.

Here is another example from our tests that demonstrates a VPC, AutoScaling group, ELB, security group:

- https://github.com/terraform-providers/terraform-provider-aws/blob/72223ebf73b84e444832e857b41053b69827469c/aws/resource_aws_autoscaling_group_test.go#L1234-L1313

Please also be sure to be familiar with our documentation on how to use these resources, they clearly outline what attributes exist for each resource:

- https://www.terraform.io/docs/providers/aws/index.html

I'm sorry to say that further help is beyond the scope of this mailing list I believe. If you continue to have issues I recommend revisiting the documentation and trying to create your cluster one step at a time, so it's easier to correct issues one resource at a time.

Cheers,
Clint

Kris Wright

unread,
Aug 19, 2018, 11:31:50 PM8/19/18
to Terraform
Gary,
If something already exists, then you probably forgot to run "terraform destroy." I had this problem myself. Even if running "terraform apply" results in an error, it will still provision some things in AWS, so you must destroy them before trying again. Hope this helps. 
Reply all
Reply to author
Forward
0 new messages