1
votes

I'm trying to set up a dev environment: 1x private subnet, 1x public subnet in the dev VPC; Postgres RDS instance in the private subnet; each subnet's resources are in its own security group. The source RDS instance is in the prod VPC. I have created a peering connection and the CIDRs of each VPC do not over lap.

I am getting

Error: Error creating DB Instance: InvalidParameterCombination: The DB instance and EC2 security group are in different VPCs. The DB instance is in prod-vpc and the EC2 security group is in dev-vpc

Here are my terraform defintions. I have also added the other peer's relevant CIDRs to the route tables of each peer VPC. The source RDS and prod VPC were both created in a separate process and already exist outside of this terraform process.

module "vpc" {
  source               = "terraform-aws-modules/vpc/aws"
  version              = "2.77.0"
  name                 = "dev-vpc"
  cidr                 = "192.168.0.0/16"
  azs                  = ["us-west-2a"]
  enable_dns_hostnames = true
  enable_dns_support   = true
}

module "keypair" {
  source      = "git::https://github.com/rhythmictech/terraform-aws-secretsmanager-keypair"
  name_prefix = "ec2-ssh"
  description = "SSH keypair for instances"
}

resource "aws_security_group" "dev-sg-pub" {
  vpc_id = module.vpc.vpc_id
  ingress {
    from_port   = 5432 # testing
    to_port     = 5432 # testing
    protocol    = "tcp"
    cidr_blocks = ["192.168.1.0/28","192.168.2.0/24"]
    self        = true
  }
  egress {
    from_port   = 5432 # testing
    to_port     = 5432 # testing
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_security_group" "dev-sg-priv" {
  vpc_id = module.vpc.vpc_id
  ingress {
    from_port       = 5432 # testing
    to_port         = 5432 # testing
    protocol        = "tcp"
    cidr_blocks     = ["192.168.1.0/28", "192.168.2.0/24"]
    security_groups = ["sg-xxxxxxxxxxxxxxx"] # the pub subnet's sg
    self            = true
  }
  egress {
    from_port   = 5432 # testing
    to_port     = 5432 # testing
    protocol    = "tcp"
    cidr_blocks = ["192.168.1.0/28", "192.168.2.0/24"]
  }
}

resource "aws_subnet" "dev-subnet-pub" {
  vpc_id      = module.vpc.vpc_id
  cidr_block  = "192.168.1.0/28"
  tags = {
    Name        = "dev-subnet-pub"
    Terraform   = "true"
    Environment = "dev"
  }
}

resource "aws_subnet" "dev-subnet-priv" {
  vpc_id      = module.vpc.vpc_id
  cidr_block  = "192.168.2.0/24"
  tags = {
    Name        = "dev-subnet-priv"
    Terraform   = "true"
    Environment = "dev"
  }
}

resource "aws_vpc_peering_connection" "dev-peer-conn" {   
  peer_vpc_id   = "vpc-xxxxxxxxxxxxxxa"
  vpc_id        = module.vpc.vpc_id
  auto_accept   = true
}

resource "aws_db_instance" "dev-replica" {
   name                   = "dev-replica"
   identifier             = "dev-replica"
   replicate_source_db    = "arn:aws:rds:us-west-2:9999999999:db:tf-xxxxxxxx"
   instance_class         = "db.t3.small"
   apply_immediately      = false
   publicly_accessible    = false
   skip_final_snapshot    = true
   vpc_security_group_ids = [aws_security_group.dev-sg-priv.id, "sg-xxxxxxxxxxx"]
   depends_on = [aws_vpc_peering_connection.dev-peer-conn]
}
1

1 Answers

1
votes

You can't do this. SGs have VAC-scope, and your RDS must use SG from the VPC it is located it.

Since you peered your VPCs, you can only reference SG across VPCs in your aws_security_group.dev-sg-priv.