Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: #31117

Closed
dtserekhman-starz opened this issue May 2, 2023 · 4 comments · Fixed by #31873
Closed

[Bug]: #31117

dtserekhman-starz opened this issue May 2, 2023 · 4 comments · Fixed by #31873
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/vpc Issues and PRs that pertain to the vpc service.
Milestone
v5.3.0

Comments

@dtserekhman-starz
Copy link

dtserekhman-starz commented May 2, 2023
edited by justinretzolk
Loading

Terraform Core Version

1.4.2

AWS Provider Version

v4.64.0

Affected Resource(s)

aws_vpc_endpoint

Expected Behavior

When you create VPC Interface type S3 Endpoint in AWS Console, the "Enable private DNS names" section has two checkboxes:

  1. Enable for this endpoint
  2. Enable private DNS only for inbound endpoint

The second checkbox can only be checked if the first one is checked. And, the second checkbox is the one that actually requires the presence of S3 Gateway type Endpoint in the VPC.

The first checkbox by itself can be checked in AWS Console without the presence of the S3 Gateway type Endpoint.

"aws_vpc_endpoint" resource in Terraform only has one attribute for enabling private DNS, which is called "private_dns_enabled". When you set that attribute to "true", it actually attempts to enable both of the options mentioned above, and hence, causes the error captured in the debug output section if Gateway type S3 Endpoint is not present in the VPC.

So, the expected behavior here should be is there should be secondary attribute available for enabling on the "aws_vpc_endpoint" resource so same API calling behavior can be achieved via terraform as it is through AWS Console or CLI.

Actual Behavior

As stated above, "private_dns_enabled" attribute on the "aws_vpc_endpoint" resource toggles both underlying settings at once:

  1. Enable for this endpoint
  2. Enable private DNS only for inbound endpoint

There needs to be two separate boolean attributes on the "aws_vpc_endpoint" resource available to be able to toggle the two settings independently (although, the second setting is only allowed to be toggled if the first one is checked).

Relevant Error/Panic Output Snippet

aws_vpc_endpoint.s3_interface_endpoint: Modifying... [id=vpce-09ac9bbe1b214e77b]
╷
│ Error: updating EC2 VPC Endpoint (vpce-09ac9bbe1b214e77b): InvalidParameter: To set PrivateDnsOnlyForInboundResolverEndpoint to true, the VPC vpc-06139d20c6378dda8 must have a Gateway endpoint for the service.
│       status code: 400, request id: 81905e29-8b55-4a8a-a476-95fda7bac28c
│ 
│   with aws_vpc_endpoint.s3_interface_endpoint,
│   on _s3_vpc_interface_endpoint.tf line 2, in resource "aws_vpc_endpoint" "s3_interface_endpoint":
│    2: resource "aws_vpc_endpoint" "s3_interface_endpoint" {
│ 
╵

Terraform Configuration Files

aws_vpc_endpoint.s3_interface_endpoint: Modifying... [id=vpce-09ac9bbe1b214e77b]
╷
│ Error: updating EC2 VPC Endpoint (vpce-09ac9bbe1b214e77b): InvalidParameter: To set PrivateDnsOnlyForInboundResolverEndpoint to true, the VPC vpc-06139d20c6378dda8 must have a Gateway endpoint for the service.
│       status code: 400, request id: 81905e29-8b55-4a8a-a476-95fda7bac28c
│ 
│   with aws_vpc_endpoint.s3_interface_endpoint,
│   on _s3_vpc_interface_endpoint.tf line 2, in resource "aws_vpc_endpoint" "s3_interface_endpoint":
│    2: resource "aws_vpc_endpoint" "s3_interface_endpoint" {
│ 
╵

Steps to Reproduce

  1. Do NOT create Gateway S3 endpoint in VPC
  2. Try to create S3 Interface endpoint via following configuration:
resource "aws_vpc_endpoint" "s3_interface_endpoint" {
  service_name = "com.amazonaws.${var.aws_region}.s3"
  vpc_id       = module.vpc.vpc_id

  vpc_endpoint_type = "Interface"
  private_dns_enabled = true

  subnet_ids = module.vpc.private_subnet_ids
  security_group_ids = [aws_security_group.s3_interface_endpoint_sg.id]

}

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None
@dtserekhman-starz dtserekhman-starz added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels May 2, 2023
@github-actions
Copy link

github-actions bot commented May 2, 2023

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/vpc Issues and PRs that pertain to the vpc service. label May 2, 2023
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label May 3, 2023
@FabianPonce FabianPonce mentioned this issue Jun 9, 2023
Merged
@justinretzolk justinretzolk added enhancement Requests to existing resources that expand the functionality or scope. and removed bug Addresses a defect in current functionality. labels Jun 9, 2023
@ewbankkit
Copy link
Contributor

@github-actions github-actions bot added this to the v5.3.0 milestone Jun 12, 2023
@github-actions
Copy link

This functionality has been released in v5.3.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@ewbankkit ewbankkit mentioned this issue Jun 27, 2023
Closed
@ddericco ddericco mentioned this issue Jul 3, 2023
Merged
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/vpc Issues and PRs that pertain to the vpc service.
Projects
None yet
Milestone
v5.3.0
Development

Successfully merging a pull request may close this issue.

ec2: fix aws_vpc_endpoint missing exposed dns_option FabianPonce/terraform-provider-aws
3 participants
@ewbankkit @dtserekhman-starz @justinretzolk