Cannot ssh to ibmcloud instance created via terraform

Question

I can successfully create an instance in IBMCloud via Terraform. The problem is that after successfully deploying I cannot ssh into the instance.

The version of the terraform-provider-ibm is: 1.11.2.

The version of terraform itself is: v0.12.20.

The terraform code I am using is the following:

provider "ibm" {
  ibmcloud_api_key   = ""
  region="eu-gb"
  generation = 2
}

variable "ssh_public_key" {
  default = "~/.ssh/id_rsa.pub"
}

resource "ibm_is_vpc" "testacc_vpc" {
  name = "testvpc"
}

resource "ibm_is_subnet" "testacc_subnet" {
  name            = "testsubnet"
  vpc             = ibm_is_vpc.testacc_vpc.id
  zone            = "eu-gb-1"
  ipv4_cidr_block = "10.242.0.0/24"
}

resource "ibm_is_ssh_key" "testacc_sshkey" {
  name       = "testssh"
  public_key = "file(var.ssh_public_key)"
}


resource "ibm_is_security_group" "testacc_security_group" {
    name = "test"
    vpc = ibm_is_vpc.testacc_vpc.id
}

resource "ibm_is_security_group_rule" "testacc_security_group_rule_all" {
    group = ibm_is_security_group.testacc_security_group.id
    direction = "inbound"
    remote = "127.0.0.1"
    depends_on = [ibm_is_security_group.testacc_security_group]
}

resource "ibm_is_security_group_rule" "testacc_security_group_rule_ssh" {
    group = ibm_is_security_group.testacc_security_group.id
    direction = "inbound"
    remote = "127.0.0.1"
    icmp {
        code = 22
        type = 22
    }
    depends_on = [ibm_is_security_group_rule.testacc_security_group_rule_all]
}
resource "ibm_is_instance" "testacc_instance" {
  name    = "testinstance"
  image   = "99edcc54-c513-4d46-9f5b-36243a1e50e2"
  profile = "cx2-2x4"

  primary_network_interface {
    subnet = ibm_is_subnet.testacc_subnet.id
  }

  network_interfaces {
    name   = "eth1"
    subnet = ibm_is_subnet.testacc_subnet.id
  }

  vpc  = ibm_is_vpc.testacc_vpc.id
  zone = "eu-gb-1"
  keys = [ibm_is_ssh_key.testacc_sshkey.id]
  depends_on = [ibm_is_security_group_rule.testacc_security_group_rule_ssh]

  //User can configure timeouts
  timeouts {
    create = "90m"
    delete = "30m"
  }
}

resource "ibm_is_floating_ip" "fip1" {
  name   = "fip1"
  target = ibm_is_instance.testacc_instance.primary_network_interface[0].id
}

output "sshcommand" {
  value = "ssh root@${ibm_is_floating_ip.fip1.address}"
}

Does anyone see any problem with the security rules? Am I missing some additional configuration?

Thanks everyone in advance!

Answer 1

There are a couple of changes that need to be done in the terraform file

1. You need to attach the instance (vsi) to the security group.
2. No need of an network interface if you are defining a primary network interface. In case, if you need one, remember to attach the security group with ssh rule using security_groups
3. The remote should be 0.0.0.0/0, not 127.0.0.1
4. Pass the SSH pub key value cat ~/.ssh/id_rsa.pub or create the SSH key from the UI and then pass the key name

data "ibm_is_ssh_key" "ds_key" {
    name = "test"
}

Here's the updated Terraform file with all the above-mentioned changes. For documentation, refer here

provider "ibm" {
  ibmcloud_api_key   = ""
  region="eu-gb"
  generation = 2
}


resource "ibm_is_vpc" "testacc_vpc" {
  name = "testvpc"
}

resource "ibm_is_subnet" "testacc_subnet" {
  name            = "testsubnet"
  vpc             = ibm_is_vpc.testacc_vpc.id
  zone            = "eu-gb-1"
  ipv4_cidr_block = "10.242.0.0/24"
}

resource "ibm_is_ssh_key" "testacc_sshkey" {
  name       = "testssh"
  public_key = "ssh-rsa xxxxxxx"
}


resource "ibm_is_security_group" "testacc_security_group" {
    name = "test"
    vpc = ibm_is_vpc.testacc_vpc.id
}

resource "ibm_is_security_group_rule" "testacc_security_group_rule_all" {
    group = ibm_is_security_group.testacc_security_group.id
    direction = "inbound"
    remote = "0.0.0.0/0"
    depends_on = [ibm_is_security_group.testacc_security_group]
}

resource "ibm_is_security_group_rule" "testacc_security_group_rule_ssh" {
    group = ibm_is_security_group.testacc_security_group.id
    direction = "inbound"
    remote = "0.0.0.0/0"
    icmp {
        code = 22
        type = 22
    }
    depends_on = [ibm_is_security_group_rule.testacc_security_group_rule_all]
}
resource "ibm_is_instance" "testacc_instance" {
  name    = "testinstance"
  image   = "99edcc54-c513-4d46-9f5b-36243a1e50e2"
  profile = "cx2-2x4"

  primary_network_interface {
    subnet = ibm_is_subnet.testacc_subnet.id
    security_groups = [ibm_is_security_group.testacc_security_group.id]
  }

  vpc  = ibm_is_vpc.testacc_vpc.id
  zone = "eu-gb-1"
  keys = [ibm_is_ssh_key.testacc_sshkey.id]
  depends_on = [ibm_is_security_group_rule.testacc_security_group_rule_ssh]

  //User can configure timeouts
  timeouts {
    create = "90m"
    delete = "30m"
  }
}

resource "ibm_is_floating_ip" "fip1" {
  name   = "fip1"
  target = ibm_is_instance.testacc_instance.primary_network_interface[0].id
}

output "sshcommand" {
  value = "ssh root@${ibm_is_floating_ip.fip1.address}"
}