Terraform throws "groupName cannot be used with the parameter subnet" or "VPC security groups may not be used for a non-VPC launch"

Question

When trying to figure out how to configure a aws_instance with AWS VPC the following errors occur:

* Error launching source instance: InvalidParameterCombination: The parameter groupName cannot be used with the parameter subnet
    status code: 400, request id: []

or

* Error launching source instance: InvalidParameterCombination: VPC security groups may not be used for a non-VPC launch
    status code: 400, request id: []

Answer 1

This is due to how a security group is associated with an instance.

Without a subnet it is OK to associate it using the security group's name:

resource "aws_instance" "server" {
  ...
  security_groups = [ "${aws_security_group.my_security_group.name}" ]
}

In the case where a subnet is also associated you cannot use the name, but should instead use the security group's ID:

security_groups = [ "${aws_security_group.my_security_group.id}" ]
subnet_id = "${aws_subnet.my_subnet.id}"

The above assumes you've created a security group named my_security_group, and a subnet named my_subnet

Answer 2

tl;dr

When you specify a security group for a nondefault VPC to the CLI or the API actions, you must use the security group ID and not the security group name to identify the security group.

See: Security Groups for EC2-VPC

---

In other words if you are trying to configure VPC launch, but the error complains about a non-VPC launch, please check the below.

• If you have specified subnet_id, then you can't use security_groups along with it. For a non-default VPC, you must use security group IDs instead.

• Please specify the right subnet_id which indicates the subnet to boot the instance into (for VPC only). If you don't specify a subnet in the request, a default subnet will be assigned from your default VPC for you (EC2-VPC only accounts).

• Make sure that you've chosen the right instance type (such as c4, m4, t2), see: Instance Types Available Only in a VPC.

See also: run-instances docs page:

• Some instance types can only be launched into a VPC. If you do not have a default VPC, or if you do not specify a subnet ID in the request, run-instances fails.

• --security-groups - [EC2-Classic, default VPC] One or more security group names. For a nondefault VPC, you must use security group IDs instead.

Related pages at AWS documentation:

• Your Default VPC and Subnets
• Your VPC and Subnets

Answer 3

I came across the similar issue.

There is a relationship between Security Group and Subnets, that is both links to a VPC. Therefore if you command to create an instance (e.g EC2 Instance) in "subnet1", your instance will get created in "vpc1" where the subnet1 is in. When you don't define a Security group, it will use the "default" security group in the VPC.

It makes sense that why it does not allow security groups when you define a Subnet because it can be complicated if you try to assign Security Groups not in the same vpc as the subnet.

But it would have been better it AWS allows to define a security group at least in the same VPC as the subnet.

Answer 4

When configuring AWS VPC, make sure to use only the Subnet ID and the Group IDs.

Example:

resource "aws_instance" "forms_selenium_hub_dev" {
  ...
  subnet_id = "subnet-1a2b3c4d5e" # Subnet - Subnet ID 
  vpc_security_group_ids = ["sg-a1b2c3d4e5"] # Security Groups - Group ID
}