Unable to SSH into a Terraform-created EC2 instance

Using Terraform v1.0.11 on Ubuntu 18.04

After a terraform apply with the main.tf below, and after waiting for the instance to pass checks (and then another minute), attempts to SSH are hitting a wall.

$ ssh -v -i ~/.ssh/toydeploy.pem [email protected]
OpenSSH_7.6p1 Ubuntu-4ubuntu0.5, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 18.144.125.224 [18.144.125.224] port 22.
debug1: connect to address 18.144.125.224 port 22: Connection timed out
ssh: connect to host 18.144.125.224 port 22: Connection timed out

I've brought up an instance manually with the same AMI and key pair, and can SSH in. Comparing network and security settings in the console, the only differences I've noticed are that the manually-deployed instance is using the default VPC, and "Answer private resource DNS name" shows "IPv4 (A)" for the manually-deployed instance and "-" for the Terraformed one. Both seem benign, but I may be wrong.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }
}

provider "aws" {
  profile = "default"
  region  = "us-west-1"
}

variable "cidr_vpc" {
  description = "CIDR block for VPC"
  default     = "10.1.0.0/16"
}

variable "cidr_subnet" {
  description = "CIDR block for subnet"
  default     = "10.1.0.0/20"
}

resource "aws_vpc" "toydeploy-vpc" {
  cidr_block           = var.cidr_vpc
  enable_dns_hostnames = true
  enable_dns_support   = true
}

resource "aws_subnet" "toydeploy-subnet" {
  vpc_id     = aws_vpc.toydeploy-vpc.id
  cidr_block = var.cidr_subnet
}

resource "aws_security_group" "toydeploy-sg" {
  name   = "toydeploy-sg"
  vpc_id = aws_vpc.toydeploy-vpc.id

  ingress {
    from_port = 22
    to_port   = 22
    protocol  = "tcp"
    cidr_blocks = [
      "0.0.0.0/0"
    ]
  }

  # Terraform removes the default rule, so we re-add it.
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_instance" "toydeploy" {
  ami                         = "ami-083f68207d3376798" # Ubuntu 18.04
  instance_type               = "t2.micro"
  security_groups             = ["${aws_security_group.toydeploy-sg.id}"]
  subnet_id                   = aws_subnet.toydeploy-subnet.id
  associate_public_ip_address = true
  key_name                    = "toydeploy"
}

If nothing below jumps out as a problem and you can point me to a working example, that would be appreciated too.

Resolved

A closer examination showed that the routing table was only routing for the subnet, and not 0.0.0.0/0. Adding the following resolved the issue.

resource "aws_internet_gateway" "toydeploy-ig" {
  vpc_id = aws_vpc.toydeploy-vpc.id
}

resource "aws_route_table" "toydeploy-rt" {
  vpc_id = aws_vpc.toydeploy-vpc.id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.toydeploy-ig.id
  }
}

resource "aws_route_table_association" "toydeploy-rta" {
  subnet_id      = aws_subnet.toydeploy-subnet.id
  route_table_id = aws_route_table.toydeploy-rt.id
}

Connection timed out usually indicates a network issue. Check:

• Security group / NACLs open to your IP on port 22
• VPC has internet gateway
• Subnet has a route to the internet gateway
• Instance has a public IP
• Routing is set up correctly

This is the key line from your connection attempt that tells you what's happening

ssh: connect to host 18.144.125.224 port 22: Connection timed out