Example from https://learn.hashicorp.com/terraform/getting-started/provision#defining-a-provisioner with addition of security group allows ssh, so that it works.

remove-exec-provision.tf

provider "aws" {
  profile = "default"
  region  = "eu-west-1"
}

resource "aws_key_pair" "example" {
  key_name   = "examplekey"
  public_key = file("~/.ssh/terraform.pub")
}

resource "aws_instance" "example" {
  key_name      = aws_key_pair.example.key_name
  ami           = "ami-083cf3480acb8f8af"
  instance_type = "t2.micro"
  vpc_security_group_ids = [aws_security_group.allow-ssh-in.id]

  connection {
    type        = "ssh"
    user        = "ec2-user"
    private_key = file("~/.ssh/terraform")
    host        = self.public_ip
  }

  provisioner "remote-exec" {
    inline = [
      "sudo amazon-linux-extras enable nginx1.12",
      "sudo yum -y install nginx",
      "sudo systemctl start nginx"
    ]
  }
}

data "aws_vpc" "default" {
  default = true
} 

resource "aws_security_group" "allow-ssh-in" {
  name="allow-ssh-in"
  description = "allow ssh in"
  vpc_id      =  data.aws_vpc.default.id

  ingress {
    description = "SSH in"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    description = "HTTP in"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
 tags = {
    Name = "allow_ssh"
  }
}