In terraform how to attach an SG to an instance created by an ASG

Question

I have an instance created by an ASG. SGs are associated with the LB for public network access. I need to attach a SG to the instance for the service that is only available via private network. I figured the steps are ( using data resource) get the instance_id of the EC2 launched by the autoscale group. Find the primary ENI associated with the EC2 ( again data resource) and then attach the SG to that ENI adapater. Just wondering if this is the best way of doing it? Thanks

Answer 1

When you use Terraform to configure EC2 autoscaling, it's becomes the responsibility of the EC2 autoscaling feature to create and configure your individual instances. Terraform is not aware of those individual instances and can instead only configure the settings that EC2 autoscaling itself uses to decide how to configure your instances.

Each autoscaling group has either a Launch Configuration or a Launch Template . These both serve a similar purpose but launch templates are the newer API so that is what I'll describe here.

When you define a launch template one of the available arguments is vpc_security_group_ids , which specifies the set of security group IDs that each newly-created EC2 instance must be associated with.

Each EC2 instance that your autoscaling group creates must have a distinct network interface, because each network interface can be attached to only one EC2 instance. Therefore EC2 autoscaling typically creates a new network interface for each instance it launches, using the network-related settings in the launch template. Although you can in principle choose to associate an already-existing network interface, in that case you would be only able to create one EC2 instance at a time in your autoscaling group and in that case, so it's not a typical configuration.