Terraform – Fails to Launch EC2 Instance Due to Suspected Lack of IAM Rights

The aws_instance resource in the example does not have the subnet_id attribute provided, so the instance would launch into your account's default subnet for the target region. It's likely that the default subnet is not the one you were trying to use, and so it has a different IP address range.

To fix this, determine the appropriate subnet id and add a subnet_id attribute to your declaration, and then also switch from the security_groups attribute to the vpc_security_group_ids attribute:

resource "aws_instance" "mgmt-jump" {
  count = "${var.mgmt_jump_count}"

  ami           = "${lookup(var.amis, var.region)}"
  instance_type = "t2.micro"

  key_name      = "${var.key_pair}"
  subnet_id     = "subnet-xxxxxxx"

  vpc_security_group_ids = ["${aws_security_group.mgmt-jump-sg.id}"]

  private_ip = "${lookup(var.mgmt_jump_private_ips,count.index)}"

  tags {
    Name        = "mgmt-jump-${count.index+1}"
    category    = "dec"
    environment = "management"
    role        = "jump"
  }
}

Use Terraform or CloudFormation to manage the required Load Balancer, EC2 Instances and other resources. Although it requires more work up-front than ElasticBeanstalk, it is possible to precisely control every aspect of your resources. Software installation and instance configuration from .ebextensions can be replaced with AWS::CloudFormation::Init and AWS's cfn-init helper script.

I'll also recommend troposphere for generating CloudFormation templates. The syntax maps 1-to-1 against the CloudFormation's resource syntax, but will generate errors for misspelled property names or invalid property types. Combined with boto it was possible to fully automate my application deployment lifecycle with simple python command line utilities.