Terraform shows `InvalidGroup.NotFound` while creating an EC2 instance

Asked 8/1, 2021 at 11:58 Answered 12/9 at 4:11

Solved amazon-web-services terraform terraform-provider-aws

I am trying to deploy EC2 instances using Terrafom and I can see the following error:

Error: Error launching source instance: InvalidGroup.NotFound: The security group 'prod-web-servers-sg' does not exist in VPC 'vpc-db3a3cb3'

Here is the Terraform template I'm using:

resource "aws_default_vpc" "default" {
}

resource "aws_security_group" "prod-web-servers-sg" {
name        = "prod-web-servers-sg"
description = "security group for production grade web servers"
vpc_id      = "${aws_default_vpc.default.id}"

ingress {
from_port   = 80
to_port     = 80
protocol    = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port   = 443
to_port     = 443
protocol    = "tcp"
cidr_blocks = ["0.0.0.0/0"]
  }
}

#Subnet

 resource "aws_subnet" "private_subnet" {
 vpc_id     = "${aws_default_vpc.default.id}"
 cidr_block = "172.31.0.0/24"
 availability_zone = "ap-south-1a"
 }

 resource "aws_instance" "prod-web-server" {
 ami           = "ami-04b1ddd35fd71475a"
 count    = 2
 key_name = "test_key"
 instance_type = "r5.large"
 security_groups = ["prod-web-servers-sg"]
 subnet_id = "${aws_subnet.private_subnet.id}"
  }

Freedwoman answered 8/1, 2021 at 11:58 Comment(0)

You have a race condition there because Terraform doesn't know to wait until the security group is created before creating the instance.

To fix this you should interpolate the aws_security_group.prod-web-servers-sg.id into aws_instance.prod-web-server resource so that it can work out the dependency chain between the resources. You should also use vpc_security_group_ids instead of security_groups as mentioned in the aws_instance resource documentation:

security_groups - (Optional, EC2-Classic and default VPC only) A list of security group names (EC2-Classic) or IDs (default VPC) to associate with.

NOTE: If you are creating Instances in a VPC, use vpc_security_group_ids instead.

So you should have something like the following:

resource "aws_default_vpc" "default" {}

resource "aws_security_group" "prod-web-servers-sg" {
  name        = "prod-web-servers-sg"
  description = "security group for production grade web servers"
  vpc_id      = aws_default_vpc.default.id

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

#Subnet

resource "aws_subnet" "private_subnet" {
  vpc_id            = aws_default_vpc.default.id
  cidr_block        = "172.31.0.0/24"
  availability_zone = "ap-south-1a"
}

resource "aws_instance" "prod-web-server" {
  ami                    = "ami-04b1ddd35fd71475a"
  count                  = 2
  key_name               = "test_key"
  instance_type          = "r5.large"
  vpc_security_group_ids = [aws_security_group.prod-web-servers-sg.id]
  subnet_id              = aws_subnet.private_subnet.id
}

Chongchoo answered 8/1, 2021 at 13:21 Comment(2)

Thank you for the vpc_security_group_ids! For me the VPC and the SG was already deployed. I could see them in the console. but still got this error with terraform. vpc_security_group_ids solved it for me instead of the names. – Krahmer 16/6, 2022 at 18:32

Got the exact same error, due to account mismatch , yes filling the security seemed to resolve temporality but the main cause from terraform applying resources to wrong account. – Kinkajou 26/1 at 8:14

Error:-- creating EC2 Instance: InvalidGroup.NotFound: The security group 'terraform-20240912034551254600000001' does not exist in VPC 'vpc-0315c4545621e2bd

Note:- Change the [aws_security_group.production_sg.name] to [aws_security_group.production_sg.id] in the code. It will works for me.

security_groups = [aws_security_group.production_sg.id]

Jannery answered 12/9 at 4:11 Comment(0)

Recommended topics

Hot tags