Using Terraform to create an AWS EC2 bastion

Question

I am trying to spin-up an AWS bastion host on AWS EC2. I am using the Terraform module provided by Guimove. I am getting stuck on the bastion_host_key_pair field. I need to provide a keypair that can be used to launch the EC2 template, but the bucket (aws_s3_bucket.bucket) that needs to contain the public key of the key pair gets created during the module, therefore the key isn't there when it tries to launch the instance and it fails. It feels like a chicken and egg scenario, so I am obviously doing something wrong. What am I doing wrong?

Error:

╷
│ Error: Error creating Auto Scaling Group: AccessDenied: You are not authorized to use launch template: lt-004b0af2895c684b3
│       status code: 403, request id: c6096e0d-dc83-4384-a036-f35b8ca292f8
│
│   with module.bastion.aws_autoscaling_group.bastion_auto_scaling_group,
│   on .terraform\modules\bastion\main.tf line 300, in resource "aws_autoscaling_group" "bastion_auto_scaling_group":
│  300: resource "aws_autoscaling_group" "bastion_auto_scaling_group" {
│
╵

Terraform:

resource "tls_private_key" "bastion_host" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "aws_key_pair" "bastion_host" {
  key_name   = "bastion_user"
  public_key = tls_private_key.bastion_host.public_key_openssh
}

resource "aws_s3_bucket_object" "bucket_public_key" {
  bucket     = aws_s3_bucket.bucket.id
  key        = "public-keys/${aws_key_pair.bastion_host.key_name}.pub"
  content    = aws_key_pair.bastion_host.public_key
  kms_key_id = aws_kms_key.key.arn
}

module "bastion" {
  source = "Guimove/bastion/aws"
  bucket_name = "${var.identifier}-ssh-bastion-bucket-${var.env}"
  region = var.aws_region
  vpc_id = var.vpc_id
  is_lb_private = "false"
  bastion_host_key_pair = aws_key_pair.bastion_host.key_name
  create_dns_record = "false"
  elb_subnets = var.public_subnet_ids
  auto_scaling_group_subnets = var.public_subnet_ids
  instance_type = "t2.micro"
  tags = {
    Name = "SSH Bastion Host - ${var.identifier}-${var.env}",
  }
}

Your error is about lack of permissions for autoscalling group. I don't see how it relates to your S3 or the pair key. — Marcin, Jun 15 '21 at 04:23
Maybe it does have nothing to do with those. I don't know, hence the question. The reason I suspected it might be is because the error is related to running the launch template, and the description on the `bastion_host_key_pair` field is 'Select the key pair to use to launch the bastion host'. Also the AWS credentials I am using to run Terraform under have full AdministratorAccess. — raydenl, Jun 15 '21 at 04:43
The `AccessDenied` error seems to indicate the statement about the full Administrator Access may not be the whole truth. Are there any deny-statements present or service control policies? — Maurice, Jun 15 '21 at 06:41
Where would I find deny-statements? I can’t see the SCP’s so would need to ask our AWS administrators. — raydenl, Jun 15 '21 at 06:49
Yep, turns out there was a Deny policy in place that I had no access to see, DenyRunInstanceWithNoOwnerTag :S — raydenl, Jun 16 '21 at 04:02

mc7h · Answer 1 · 2021-06-15T10:58:32.243

0

I had the same issue. The fix was to go into AWS Market place, accept the EULA and subscribe to the AMI I was trying to use.

edited Jun 15 '21 at 10:58

answered Jun 15 '21 at 10:30

mc7h

202
2
8

I'm not using an AMI, the bastion Terraform module I am using says it's optional... however, in AWS `You must specify an AMI when you launch an instance`... so not sure it truly is optional – raydenl Jun 15 '21 at 21:02
I see, it chooses a default AMI – raydenl Jun 15 '21 at 21:05

Using Terraform to create an AWS EC2 bastion

1 Answers1