1. Zuhause
  2. Frage und Antwort
  3. Cant ssh in Server, obwohl Sicherheitsgruppe erlaubt es

Cant ssh in Server, obwohl Sicherheitsgruppe erlaubt es

2017-12-04 4 views
0

Ich habe das folgende Skript:Cant ssh in Server, obwohl Sicherheitsgruppe erlaubt es

provider "aws" { 
    access_key = "xxx" 
    secret_key = "xxx" 
    region  = "sa-east-1" 
} 

resource "aws_vpc" "main" { 
    cidr_block = "10.0.0.0/16" 
} 

resource "aws_internet_gateway" "igw" { 
    vpc_id = "${aws_vpc.main.id}" 
    tags { 
     Name = "igw" 
    } 
} 

resource "aws_subnet" "main" { 
    vpc_id  = "${aws_vpc.main.id}" 
    cidr_block = "10.0.1.0/24" 

    tags { 
    Name = "Main" 
    } 

    depends_on = [ 
     "aws_internet_gateway.igw" 
    ] 
} 

resource "aws_security_group" "ssh" { 
    name  = "ssh" 
    description = "(Proxy) Allow SSH" 
    vpc_id  = "${aws_vpc.main.id}" 

    ingress { 
    from_port = 22 
    to_port  = 22 
    protocol = "tcp" 
    cidr_blocks = ["0.0.0.0/0"] 
    } 

    egress { 
    from_port  = 0 
    to_port   = 0 
    protocol  = "-1" 
    cidr_blocks  = ["0.0.0.0/0"] 
    } 
} 

resource "aws_instance" "proxy" { 
    ami    = "ami-286f2a44" 
    instance_type = "t2.micro" 
    key_name  = "spkeypar" 
    subnet_id  = "${aws_subnet.main.id}" 
    security_groups = ["${aws_security_group.ssh.id}"] 
    associate_public_ip_address = false 
} 

resource "aws_eip" "pib" { 
    instance = "${aws_instance.proxy.id}" 
    vpc  = true 
} 

output "ip" { 
    value = "${aws_eip.pib.public_ip}" 
}

, wenn es fertig ist, kann ich sehen, alles geschaffen wurde, kann ich die Sicherheitsgruppe mit Port 22 offen und korrekt angebracht die Instanz, aber ich kann überhaupt nicht hineinsehen. Ich benutze die öffentliche IP von Elastic Ip.

Dies ist die Ausgabe von terraform plan:

Terraform will perform the following actions: 

    + aws_eip.pib 
     id:         <computed> 
     allocation_id:       <computed> 
     association_id:      <computed> 
     domain:        <computed> 
     instance:        "${aws_instance.proxy.id}" 
     network_interface:      <computed> 
     private_ip:       <computed> 
     public_ip:        <computed> 
     vpc:         "true" 

    + aws_instance.proxy 
     id:         <computed> 
     ami:         "ami-286f2a44" 
     associate_public_ip_address:   "false" 
     availability_zone:      <computed> 
     ebs_block_device.#:     <computed> 
     ephemeral_block_device.#:    <computed> 
     instance_state:      <computed> 
     instance_type:       "t2.micro" 
     ipv6_address_count:     <computed> 
     ipv6_addresses.#:      <computed> 
     key_name:        "spkeypar" 
     network_interface.#:     <computed> 
     network_interface_id:     <computed> 
     placement_group:      <computed> 
     primary_network_interface_id:   <computed> 
     private_dns:       <computed> 
     private_ip:       <computed> 
     public_dns:       <computed> 
     public_ip:        <computed> 
     root_block_device.#:     <computed> 
     security_groups.#:      <computed> 
     source_dest_check:      "true" 
     subnet_id:        "${aws_subnet.main.id}" 
     tenancy:        <computed> 
     volume_tags.%:       <computed> 
     vpc_security_group_ids.#:    <computed> 

    + aws_internet_gateway.igw 
     id:         <computed> 
     tags.%:        "1" 
     tags.Name:        "igw" 
     vpc_id:        "${aws_vpc.main.id}" 

    + aws_security_group.ssh 
     id:         <computed> 
     description:       "(Proxy) Allow SSH" 
     egress.#:        "1" 
     egress.482069346.cidr_blocks.#:  "1" 
     egress.482069346.cidr_blocks.0:  "0.0.0.0/0" 
     egress.482069346.description:   "" 
     egress.482069346.from_port:   "0" 
     egress.482069346.ipv6_cidr_blocks.#: "0" 
     egress.482069346.prefix_list_ids.#: "0" 
     egress.482069346.protocol:    "-1" 
     egress.482069346.security_groups.#: "0" 
     egress.482069346.self:     "false" 
     egress.482069346.to_port:    "0" 
     ingress.#:        "1" 
     ingress.2541437006.cidr_blocks.#:  "1" 
     ingress.2541437006.cidr_blocks.0:  "0.0.0.0/0" 
     ingress.2541437006.description:  "" 
     ingress.2541437006.from_port:   "22" 
     ingress.2541437006.ipv6_cidr_blocks.#: "0" 
     ingress.2541437006.protocol:   "tcp" 
     ingress.2541437006.security_groups.#: "0" 
     ingress.2541437006.self:    "false" 
     ingress.2541437006.to_port:   "22" 
     name:         "ssh" 
     owner_id:        <computed> 
     revoke_rules_on_delete:    "false" 
     vpc_id:        "${aws_vpc.main.id}" 

    + aws_subnet.main 
     id:         <computed> 
     assign_ipv6_address_on_creation:  "false" 
     availability_zone:      <computed> 
     cidr_block:       "10.0.1.0/24" 
     ipv6_cidr_block:      <computed> 
     ipv6_cidr_block_association_id:  <computed> 
     map_public_ip_on_launch:    "false" 
     tags.%:        "1" 
     tags.Name:        "Main" 
     vpc_id:        "${aws_vpc.main.id}" 

    + aws_vpc.main 
     id:         <computed> 
     assign_generated_ipv6_cidr_block:  "false" 
     cidr_block:       "10.0.0.0/16" 
     default_network_acl_id:    <computed> 
     default_route_table_id:    <computed> 
     default_security_group_id:    <computed> 
     dhcp_options_id:      <computed> 
     enable_classiclink:     <computed> 
     enable_classiclink_dns_support:  <computed> 
     enable_dns_hostnames:     <computed> 
     enable_dns_support:     "true" 
     instance_tenancy:      <computed> 
     ipv6_association_id:     <computed> 
     ipv6_cidr_block:      <computed> 
     main_route_table_id:     <computed> 


Plan: 6 to add, 0 to change, 0 to destroy.

ich die Dokumentation gelesen habe aber keine Ahnung nicht gefunden konnte

Quelle

2017-12-04 Luiz E.

+0

Sie benötigen keine separate EIP. Warum sagst du nicht 'associate_public_ip_address = true' und gib 'aws_instance.proxy.public_ip_address' aus? – favoretti

+0

in meinem Fall, ich brauche wirklich :( –

+0

Ok, dann wo ist Ihr Anhang von EIP an die Instanz? – favoretti

Antwort

3

wie Sie EIP-Instanz-Looks fehlt Verein wie in https://www.terraform.io/docs/providers/aws/r/eip_association.html

beschrieben

Ok, das war es nicht ... Öffentliches Routing dann eine andere Möglichkeit, die ich sehe, fehlt (In anderen Worten, alles in diesem Subnetz zu IGW):

# Public routing 
resource "aws_route_table" "public" { 
    vpc_id = "${aws_vpc.main.id}"  
} 

resource "aws_route" "public_default" { 
    route_table_id = "${aws_route_table.public.id}" 
    gateway_id  = "${aws_internet_gateway.igw.id}" 

    destination_cidr_block = "0.0.0.0/0" 
} 

resource "aws_route_table_association" "public" { 
    subnet_id  = "${aws_subnet.main.id}" 
    route_table_id = "${aws_route_table.public.id}" 
}

Und in Ihrem Subnetz Definition benötigen Sie:

map_public_ip_on_launch = true

Sonst wird es ein privates Subnetz sein.

Quelle

2017-12-04 16:07:40 favoretti

+0

nur tat, dass es verbunden mit der Instanz richtig, aber ich kann immer noch nicht shh –

+0

Ich manuell eine andere IP erstellt und ich sah gerade diese neue hat eine öffentliche DNS, während die Terraformed hat keine –

+0

Au, warten, ich sah gerade du bist tatsächlich Zuordnung von EIP mit Instanz verknüpft Hmm. Seltsam. Funktioniert es, wenn Sie EIP per UI zuweisen? – favoretti

Verwandte Themen

 Verwandte Themen