问题描述
我使用提供了VPC和ec2实例的模块“ terraform-aws-modules / vpc / aws”和“ terraform-aws-modules / ec2-instance / aws”。请参见下面的代码。我可以通过堡垒主机公共IP SSH登录到堡垒主机。在堡垒主机内部,我无法ping和ssh登录到其私有IP的其他ec2实例。我在ec2实例中添加了安全组sg_ssh。但是,我仍然无法从堡垒主机登录到ec2实例。 sg_ssh是否正确?
main.tf
# terraform configuration
provider "aws" {
region = "us-west-2"
}
resource "aws_security_group" "sg_ssh" {
vpc_id = module.vpc.vpc_id
name = "sg_ssh"
ingress {
from_port = "22"
to_port = "22"
protocol = "tcp"
cidr_blocks = ["30.0.0.0/16"]
}
tags = {
Name = "sg_ssh"
}
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "2.21.0"
name = var.vpc_name
cidr = var.vpc_cidr
azs = var.vpc_azs
private_subnets = var.vpc_private_subnets
public_subnets = var.vpc_public_subnets
enable_nat_gateway = var.vpc_enable_nat_gateway
tags = var.vpc_tags
}
module "ec2_instances" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "2.12.0"
name = "my-ec2-cluster"
instance_count = 2
ami = "ami-0c5204531f799e0c6"
instance_type = "t2.micro"
vpc_security_group_ids = [module.vpc.default_security_group_id,aws_security_group.sg_ssh.id]
subnet_id = module.vpc.public_subnets[0]
tags = {
terraform = "true"
Environment = "dev"
}
}
# Bastion
resource "aws_security_group" "allow-ssh" {
vpc_id = module.vpc.vpc_id
name = "allow-ssh"
description = "security group that allows ssh and all egress traffic"
egress {
from_port = "0"
to_port = "0"
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = "22"
to_port = "22"
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "allow-ssh"
}
}
resource "aws_instance" "bastion_instance" {
ami = "ami-0c5204531f799e0c6"
instance_type = "t2.micro"
subnet_id = module.vpc.public_subnets[0]
vpc_security_group_ids = [aws_security_group.allow-ssh.id]
key_name = var.key_name
tags = {
Name = "bastion_instance"
}
}
解决方法
您尚未将ssh入口添加到ec2中。
在ec2模块中:
vpc_security_group_ids = [module.vpc.default_security_group_id]
您仅将它们注册到默认的vpc安全组,该组可能未配置为允许ssh。
您将需要创建一个允许从该堡垒使用ssh的安全组,并将其附加到您的ec2s。