I'm trying to set up a dev environment: 1x private subnet, 1x public subnet in the dev VPC; Postgres RDS instance in the private subnet; each subnet's resources are in its own security group. The source RDS instance is in the prod VPC. I have created a peering connection and the CIDRs of each VPC do not over lap.
I am getting
Error: Error creating DB Instance: InvalidParameterCombination: The DB instance and EC2 security group are in different VPCs. The DB instance is in prod-vpc and the EC2 security group is in dev-vpc
Here are my terraform defintions. I have also added the other peer's relevant CIDRs to the route tables of each peer VPC. The source RDS and prod VPC were both created in a separate process and already exist outside of this terraform process.
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "2.77.0"
name = "dev-vpc"
cidr = "192.168.0.0/16"
azs = ["us-west-2a"]
enable_dns_hostnames = true
enable_dns_support = true
}
module "keypair" {
source = "git::https://github.com/rhythmictech/terraform-aws-secretsmanager-keypair"
name_prefix = "ec2-ssh"
description = "SSH keypair for instances"
}
resource "aws_security_group" "dev-sg-pub" {
vpc_id = module.vpc.vpc_id
ingress {
from_port = 5432 # testing
to_port = 5432 # testing
protocol = "tcp"
cidr_blocks = ["192.168.1.0/28","192.168.2.0/24"]
self = true
}
egress {
from_port = 5432 # testing
to_port = 5432 # testing
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "dev-sg-priv" {
vpc_id = module.vpc.vpc_id
ingress {
from_port = 5432 # testing
to_port = 5432 # testing
protocol = "tcp"
cidr_blocks = ["192.168.1.0/28", "192.168.2.0/24"]
security_groups = ["sg-xxxxxxxxxxxxxxx"] # the pub subnet's sg
self = true
}
egress {
from_port = 5432 # testing
to_port = 5432 # testing
protocol = "tcp"
cidr_blocks = ["192.168.1.0/28", "192.168.2.0/24"]
}
}
resource "aws_subnet" "dev-subnet-pub" {
vpc_id = module.vpc.vpc_id
cidr_block = "192.168.1.0/28"
tags = {
Name = "dev-subnet-pub"
Terraform = "true"
Environment = "dev"
}
}
resource "aws_subnet" "dev-subnet-priv" {
vpc_id = module.vpc.vpc_id
cidr_block = "192.168.2.0/24"
tags = {
Name = "dev-subnet-priv"
Terraform = "true"
Environment = "dev"
}
}
resource "aws_vpc_peering_connection" "dev-peer-conn" {
peer_vpc_id = "vpc-xxxxxxxxxxxxxxa"
vpc_id = module.vpc.vpc_id
auto_accept = true
}
resource "aws_db_instance" "dev-replica" {
name = "dev-replica"
identifier = "dev-replica"
replicate_source_db = "arn:aws:rds:us-west-2:9999999999:db:tf-xxxxxxxx"
instance_class = "db.t3.small"
apply_immediately = false
publicly_accessible = false
skip_final_snapshot = true
vpc_security_group_ids = [aws_security_group.dev-sg-priv.id, "sg-xxxxxxxxxxx"]
depends_on = [aws_vpc_peering_connection.dev-peer-conn]
}