amazon-web-servicesamazon-ec2aws-cloudformationaws-session-manager

Unable to connect EC2 instance using Session Manager


I am using Cloudformation to deploy EC2 instances into different VPC's. Using cloudformation I created a role and role profile and attached it to EC2 instance [Role in question is AmazonEC2RoleforSSM ]. Yet I am unable to connect to EC2 using the sane. Here is the Cloudformation code: AWSTemplateFormatVersion: 2010-09-09 Description: Test and Dev Environment

Resources:
  VPCdev:
    Type: "AWS::EC2::VPC"
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
      Tags:
        - Key: Name
          Value: VPCdev
  VPCtest:
    Type: "AWS::EC2::VPC"
    Properties:
      CidrBlock: 192.168.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
      Tags:
        - Key: Name
          Value: VPCtest
  SubnetDev:
    Type: "AWS::EC2::Subnet"
    Properties:
      AvailabilityZone: !Select [0, !GetAZs '']
      CidrBlock: 10.0.1.0/24
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: SubnetDev
      VpcId: !Ref VPCdev
  SubnetTest:
    Type: "AWS::EC2::Subnet"
    Properties:
      AvailabilityZone: !Select [0, !GetAZs '']
      CidrBlock: 192.168.1.0/24
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: Subnettest
      VpcId: !Ref VPCtest
  IGWdev:
    Type: "AWS::EC2::InternetGateway"
    Properties:
      Tags:
        - Key: Name
          Value: IGWdev
  IGWtest:
    Type: "AWS::EC2::InternetGateway"
    Properties:
      Tags:
        - Key: Name
          Value: IGWtest

  IGWdevattachment:
    Type: "AWS::EC2::VPCGatewayAttachment"
    Properties:
      InternetGatewayId: !Ref IGWdev
      VpcId: !Ref VPCdev
  IGWtestattachment:
    Type: "AWS::EC2::VPCGatewayAttachment"
    Properties:
      InternetGatewayId: !Ref IGWtest
      VpcId: !Ref VPCtest

  RouteTabledev:
    Type: "AWS::EC2::RouteTable"
    Properties:
      Tags:
        - Key: Name
          Value: RouteTabledev
      VpcId: !Ref VPCdev
  RouteTabletest:
    Type: "AWS::EC2::RouteTable"
    Properties:
      Tags:
        - Key: Name
          Value: RouteTabletest
      VpcId: !Ref VPCtest

  defaultdev:
    Type: "AWS::EC2::Route"
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref IGWdev
      RouteTableId: !Ref RouteTabledev

  defaulttest:
    Type: "AWS::EC2::Route"
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref IGWtest
      RouteTableId: !Ref RouteTabletest

  Ec2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles: [ !Ref Ec2InstanceRole ]
  Ec2InstanceRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ ec2.amazonaws.com ]
            Action:
              - sts:AssumeRole
      Path: /

  sgdev:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: sgdev
      GroupName: sgdev
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: sgdev
      VpcId: !Ref VPCdev
  sgtest:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: sgtest
      GroupName: sgtest
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: sgtest
      VpcId: !Ref VPCtest

  instancedev:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-02d55cb47e83a99a0
      InstanceType: "t2.micro"
      IamInstanceProfile: !Ref Ec2InstanceProfile
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          GroupSet:
            - !Ref sgdev
          SubnetId: !Ref SubnetDev
      Tags:
        - Key: Name
          Value: dev

  instancetest:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-02d55cb47e83a99a0
      InstanceType: "t2.micro"
      IamInstanceProfile: !Ref Ec2InstanceProfile
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          GroupSet:
            - !Ref sgtest
          SubnetId: !Ref SubnetTest
      Tags:
        - Key: Name
          Value: test  

Also attached is the error screenshot. Error Screenshot P.S: I tried manually doing it and it worked. Don't seem to understand where I went wrong, the stack gets succesfully built and all resources get deployed as well.

I am using Ubuntu 18.04 LTS Image, it comes pre installed with Session Manager


Solution

  • It does not work because your subnets are private, they don't have any internet connectivity.

    Although you've created public route tables, they are not associated with any subnet.

    The following should help:

      MyRouteTableAssoc1:
        Type: AWS::EC2::SubnetRouteTableAssociation
        Properties: 
          RouteTableId: !Ref RouteTabledev
          SubnetId: !Ref SubnetDev    
    
      MyRouteTableAssoc2:
        Type: AWS::EC2::SubnetRouteTableAssociation
        Properties: 
          RouteTableId: !Ref RouteTabletest
          SubnetId: !Ref SubnetTest