Security group does not appear to belong to the same VPC as the input subnets

This is my terraform file to create a Fargate ECS service.

variable "aws_region" { }
variable "flavor" { }  # test or prod
variable "task_worker_service_name" { }
variable "task_cpu" {}
variable "task_memory" {}
variable "az_count" {}

terraform {
  required_version = "= 0.12.6"

provider "aws" {
  version = "~> 2.21.1"
  region = "${var.aws_region}"

data "aws_availability_zones" "available" {}

data "aws_iam_policy_document" "ecs_service_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type = "Service"
      identifiers = [ "" ]

data "aws_iam_policy_document" "task_worker_iam_role_policy" {
  statement {
    actions   = [ "sts:AssumeRole" ]
    principals {
      type = "Service"
      identifiers = [

data "aws_iam_policy_document" "assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type = "Service"
      identifiers = [ "" ]

resource "aws_iam_role" "ecs_service_role" {
  name = "${var.flavor}-task-ecs-service-role"
  path = "/"
  assume_role_policy = "${data.aws_iam_policy_document.ecs_service_policy.json}"

resource "aws_iam_role_policy_attachment" "ecs_service_role_attachment" {
  role = "${}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"

resource "aws_vpc" "ecs" {
    cidr_block  = ""
    enable_dns_hostnames = true
    enable_dns_support = true
    instance_tenancy = "default"

    tags = {
      Name = "ecs"

resource "aws_security_group" "vpc_ecs_task_worker" {
    name        = "${var.flavor}-vpc_ecs_task_worker"
    description = "ECS Allowed Ports"

    ingress {
        from_port       = 32768
        to_port         = 65535
        protocol        = "tcp"
        cidr_blocks     = [""]

    egress {
        from_port       = 0
        to_port         = 0
        protocol        = "-1"
        cidr_blocks     = [""]


resource "aws_iam_role" "ecs_task_execution_role" {
  name = "${var.flavor}-ecs-task-worker-task-execution-role"
  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json

resource "aws_iam_role" "task_worker_iam_role" {
    name = "${var.flavor}-task-worker-role"
    path = "/"
    assume_role_policy = data.aws_iam_policy_document.task_worker_iam_role_policy.json

# Create var.az_count private subnets, each in a different AZ
resource "aws_subnet" "private" {
  count             = "${var.az_count}"
  cidr_block        = "${cidrsubnet(aws_vpc.ecs.cidr_block, 8, count.index)}"
  availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
  vpc_id            = "${}"

resource "aws_ecs_task_definition" "task_worker" {
  family = "${var.flavor}-${var.task_worker_service_name}"
  network_mode = "awsvpc"
  requires_compatibilities = ["FARGATE"]
  cpu = var.task_cpu
  memory = var.task_memory
  execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
  task_role_arn = aws_iam_role.task_worker_iam_role.arn
  container_definitions = <<JSON
      "dnsSearchDomains": null,
      "logConfiguration": null,
      "entryPoint": null,
      "portMappings": [],
      "command": null,
      "linuxParameters": null,
      "cpu": ${var.task_cpu},
      "environment": [],
      "resourceRequirements": null,
      "ulimits": null,
      "dnsServers": null,
      "mountPoints": [],
      "workingDirectory": null,
      "secrets": null,
      "dockerSecurityOptions": null,
      "memory": null,
      "memoryReservation": ${var.task_memory},
      "volumesFrom": [],
      "stopTimeout": null,
      "image": "",
      "startTimeout": null,
      "dependsOn": null,
      "disableNetworking": null,
      "interactive": null,
      "healthCheck": null,
      "essential": true,
      "links": null,
      "hostname": null,
      "extraHosts": null,
      "pseudoTerminal": null,
      "user": null,
      "readonlyRootFilesystem": null,
      "dockerLabels": null,
      "systemControls": null,
      "privileged": null,
      "name": "task-worker"

resource "aws_ecs_cluster" "task_pool" {
  name = "${var.flavor}-task-pool"

resource "aws_ecs_service" "task_service" {
  name = "${var.flavor}-task-worker-service"

  cluster = "${}"

  task_definition = "${aws_ecs_task_definition.task_worker.arn}"

  launch_type = "FARGATE"

  desired_count = 2

  network_configuration {
    subnets = "${aws_subnet.private[*].id}"
    security_groups = ["${}" ]
    assign_public_ip = "true"


When I tried to apply it I got this error:

 InvalidParameterException: Security group sg-0e5f55bea9222dd00 does not appear to belong to the same VPC as the input subnets.

sg-0e5f55bea9222dd00 corresponds to the newly created security group aws_security_group.vpc_ecs_pdf_conversion.

I don't understand why this error message is thrown. The ingress and egress seem ok to me. How can I fix it?


  • Looks like, you are missing VPC reference in the security group creation section. It should look like something below.

    resource "aws_security_group" "vpc_ecs_task_worker" {
    name        = "${var.flavor}-vpc_ecs_task_worker"
    description = "ECS Allowed Ports"
    vpc_id      = "${}"
    ingress {
        from_port       = 32768
        to_port         = 65535
        protocol        = "tcp"
        cidr_blocks     = [""]
    egress {
        from_port       = 0
        to_port         = 0
        protocol        = "-1"
        cidr_blocks     = [""]

    In your code vpc_id section is missing.