Error: "network_interface": conflicts with vpc_security_group_ids

Question

I'm trying to create an aws instance with an aws_network_interface as below:

resource "aws_network_interface" "lustre-mds01" {
  subnet_id   = "${var.subnet_id}"
  private_ips = ["10.1.0.10"] 
}

resource "aws_instance" "lustre-mds01" {
  ami                    = "${var.ec2_ami}"
  instance_type          = "t2.nano"
  key_name               = "${var.key_name}"
  vpc_security_group_ids = [ "${var.vpc_security_group_id}" ]

  root_block_device {
    volume_type = "gp2"
    volume_size = 128
  }

  network_interface {
    network_interface_id = "${aws_network_interface.lustre-mds01.id}"
    device_index         = 0
  }
}

However, this results in:

Error: "network_interface": conflicts with vpc_security_group_ids

It appears there is an issue for this, but the ticket was closed due to inactivity. I'm a terraform noob, so I'm not sure if this looks like a bug or is just user error.

My environment:

$ terraform -v
Terraform v0.12.2
+ provider.aws v2.15.0
+ provider.external v1.1.2
+ provider.local v1.2.2
+ provider.null v2.1.2

Answer 1

The aws_network_interface resource allows you to set the security group for the interface (security groups are scoped by the ENI so this makes sense) so if you define the network_interface block then you're overriding the default ENI and so can't specify security groups at the instance level.

So in your case you probably want something like:

resource "aws_network_interface" "lustre-mds01" {
  subnet_id       = "${var.subnet_id}"
  private_ips     = ["10.1.0.10"]
  security_groups = ["${var.vpc_security_group_id}"] 
}

resource "aws_instance" "lustre-mds01" {
  ami           = "${var.ec2_ami}"
  instance_type = "t2.nano"
  key_name      = "${var.key_name}"

  root_block_device {
    volume_type = "gp2"
    volume_size = 128
  }

  network_interface {
    network_interface_id = "${aws_network_interface.lustre-mds01.id}"
    device_index         = 0
  }
}

However, I would question why you are replacing the default ENI here when it's much simpler to just set the private IP address of the instance directly in the aws_instance resource instead:

resource "aws_instance" "lustre-mds01" {
  ami                    = "${var.ec2_ami}"
  instance_type          = "t2.nano"
  key_name               = "${var.key_name}"
  subnet_id              = "${var.subnet_id}"
  private_ip             = "10.1.0.10"
  vpc_security_group_ids = ["${var.vpc_security_group_id}"]

  root_block_device {
    volume_type = "gp2"
    volume_size = 128
  }
}

You would also probably benefit from using data sources to select your security group and AMI instead of passing in opaque IDs for these. This allows them to be more self documenting.