nixops-aws
nixops-aws copied to clipboard
NixOS
aws securityGroup configuration seems to be broken
Using nixops master trying to use security groups in the following way:
deployment.ec2.securityGroups = [];
deployment.ec2.securityGroupIds = ["ssh-access" "default"];
I get:
error: Multiple exceptions (5):
* aws_a: EC2ResponseError: 400 Bad Request
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>InvalidParameterCombination</Code><Message>No attributes specified.</Message></Error></Errors><RequestID><snip></RequestID></Response>
(repeated another 4 times for different machines)
in vpc.nix I can see:
deployment.ec2.securityGroups = [];
deployment.ec2.securityGroupIds = [ resources.ec2SecurityGroups.sg.name ];
All I want right now is just to be able to get ssh access to work.
OK, I have an idea what's going on.
In the code, def security_groups_to_ids does:
vpc_id = self._conn_vpc.get_all_subnets([subnetId])[0].vpc_id
groups = map(lambda g: nixops.ec2_utils.name_to_security_group(self._conn, g, vpc_id), groups)
here it determines the VPC to use from the first subnet. If you have no explicit subnets set, then it determines it as the default VPC, in which the specified security group VPC may not be found if you've configured the Security Group to be in some other VPC.
NixOps should have a better error message for that, or at least print what VPC it's determining and creating the instance in (e.g. it already prints creating EC2 instance (AMI ‘ami-07c9b884e679df4f8’, type ‘t3.medium’, region ‘eu-central-1’)..., so it shouldn't be too hard to print the VPC there).
I've solved it by using essentially the entire example at https://github.com/NixOS/nixops/blob/28231a177d751e800af3223a8763ea75b0ef9dd9/examples/vpc.nix, setting
deployment.ec2.subnetId = resources.vpcSubnets.subnet-a;
Only after that could I see in the AWS console at the Instances page that the VPC for the started VM was not set to default, but the one I had specified.
At the same time, it's undocumented how to declare subnets: NixOS/nixops#1126