Can't connect to Terraform-created instance with Private Key, but CAN connect when I create ins-CodePudding

I've created the following key pair and EC2 instance using Terraform. I'll leave the SG config out of it, but it allows SSH from the internet.

When I try to SSH into this instance I get the errors "Server Refused our Key" and "No supported authentication methods available (server sent: publickey).

However I am able to login when I create a separate EC2 instance in the console and assign it the same key pair assigned in the TF script.

Has anyone seen this behavior? What causes it?

# Create   Dev VPC
resource "aws_vpc" "dev_vpc" {
  cidr_block       = "10.0.0.0/16"
  instance_tenancy = "default"
  enable_dns_hostnames = "true"

  tags = {
    Name = "dev"
  }
}

# Create an Internet Gateway Resource
resource "aws_internet_gateway" "igw" {
  vpc_id = aws_vpc.dev_vpc.id

  tags = {
    Name = "dev-engineering-igw"
  }
}

# Create a Route Table
resource "aws_route_table" " _dev_public_routes" {
  vpc_id = aws_vpc. _dev.id
  tags = {
    name = " _dev_public_routes"
  }
}

# Create a Route
resource "aws_route" " _dev_internet_access" {
  route_table_id = aws_route_table. _dev_public_routes.id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id = aws_internet_gateway.igw.id
}

# Associate the Route Table to our Public Subnet
resource "aws_route_table_association" " _dev_public_subnet_assoc" {
  subnet_id = aws_subnet. _dev_public.id
  route_table_id = aws_route_table. _dev_public_routes.id
}

# Create public subnet for hosting customer-facing Django app
resource "aws_subnet" " _dev_public" {
  vpc_id            = aws_vpc. _dev.id
  cidr_block        = "10.0.0.0/17"
  availability_zone = "us-west-2a"

  tags = {
    Env = "dev"
  }
}

resource "aws_security_group" "allow_https" {
  name        = "allow_https"
  description = "Allow http and https inbound traffic"
  vpc_id      = aws_vpc. _dev.id

  ingress {
    description      = "HTTP and HTTPS into VPC"
    from_port        = 80
    to_port          = 80
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
  }

  ingress {
    description      = "HTTP and HTTPS into VPC"
    from_port        = 443
    to_port          = 443
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
  }

  ingress {
    description      = "SSH"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
  }

    egress {
    description      = "HTTP and HTTPS out of VPC for Session Manager"
    from_port        = 443
    to_port          = 443
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
  }

  tags = {
    Name = "allow_https"
  }
}

resource "aws_instance" "web" {
  ami           = data.aws_ami.ubuntu20.id
  instance_type = "t3.micro"
  subnet_id = aws_subnet. _dev_public.id
  associate_public_ip_address = "true"
  vpc_security_group_ids = ["${aws_security_group.allow_https.id}"]
  key_name = "key_name"


  metadata_options { #Enabling IMDSv2
    http_endpoint = "disabled"
    http_tokens = "required"
  }

  tags = {
    Env = "dev"
  }
}

CodePudding user response：

As specified in the comments, removing the metadata_options from the instance resource resolves the issue.

The fix is to update the metadata_options to be:

  metadata_options { #Enabling IMDSv2
    http_endpoint = "enabled"
    http_tokens = "required"
  }

Looking at the Terraform documentation for metadata_options shows that:

http_endpoint = "disabled" means that the metadata service is unavailable.
http_tokens = "required" means that the metadata service requires session tokens (ie IMDSv2).

This is an invalid configuration, as specified in the AWS docs:

You can opt in to require that IMDSv2 is used when requesting instance metadata. Use the modify-instance-metadata-options CLI command and set the http-tokens parameter to required. When you specify a value for http-tokens, you must also set http-endpoint to enabled.