Referencing security groups in default VPC require its name not id

[soblom]

Today I ran into problems with a seemingly simple terraform config.

To play around with a setup I needed, I just quickly defined some machines and a security group to launch in the default VPC.

resource "aws_security_group" "test" {
  name = "test"
  description = "my test SG"
  vpc_id = "vpc-12345"
...


resource "aws_instance" "some-server" {
    ami = "${lookup(var.ami_id,"eu-west-1")}"
    key_name = "${lookup(var.standard_key,"eu-west-1")}"
    security_groups = ["${aws_security_group.test.id}"]
...

Easy enough, but always got complaints from terraform that the security group was not in the default VPC, although all of the information (the SG's id, the VPC's id) matched what I could see in my EC2 Dashboard.

* Error launching source instance: The security group 'sg-246810' does not exist in default VPC
  'vpc-12345' (InvalidGroup.NotFound)

I used the SG's id to reference it and I even tried just pasting in the actual id copied from the EC2 Dashboard. At some point I just tried to use the name instead of the id and it worked.

    security_groups = ["${aws_security_group.test.id}"] 
=>  security_groups = ["${aws_security_group.test.name}"]

The documentation states:

security_groups - (Optional) A list of security group IDs or names to associate with. If you are within a VPC, you'll need to use the security group ID. Otherwise, for EC2, use the security group name.

Maybe it is implicit knowledge that the default VPC falls under the "EC2 classic" case (which I am not aware of) OR the documentation needs updating. I am happy to provide the one-liner update for that, but first I wanted to find out what an assumption an "average" AWS user would have when reading the documentation and applying it to the default VPC. Also, are there other ways in which the default VPC differs from a "regular" VPC that is relevant for terraform?

[tusharm]

I faced the same issue - using security group's name, instead of the ID, worked.

The AWS Security Group documentation does say this:
When you specify a security group for a nondefault VPC to the CLI or the API actions, you must use the security group ID and not the security group name to identify the security group.

[ianmiell]

I had a similar problem, and using security group id rather than name worked! Not sure if it's related, but the name of the security group (and the sec group itself) was dynamically created in the main.tf and then referred to in the subsequent ec2 instance creation.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.