aws_workspaces_directory: Error with workspace_creation_properties

[fgrebot]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

$ terraform -v
Terraform v0.13.5
+ provider registry.terraform.io/hashicorp/aws v3.14.1
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/hashicorp/time v0.6.0

Affected Resource(s)

• aws_workspaces_directory

Terraform Configuration Files

resource "aws_security_group" "SG-test" {
  name        = "SG-test"
  vpc_id      = aws_vpc.WA-VPC.id

  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "SG-test"
  }
}


resource "aws_workspaces_directory" "WORKSPACES-DIRECTORY" {
    directory_id = aws_directory_service_directory.WA-ADCONNECTOR.id
    subnet_ids   = [aws_subnet.WA-SN-PRIV-1A.id, aws_subnet.WA-SN-PRIV-1B.id]

    tags = {
        Name    = "WORKSPACES-DIRECTORY"
    }
    
    depends_on = [aws_directory_service_directory.WA-ADCONNECTOR]

    self_service_permissions {
        change_compute_type  = false
        increase_volume_size = false
        rebuild_workspace    = false
        restart_workspace    = true
        switch_running_mode  = false
    }

    workspace_creation_properties {
        #custom_security_group_id           = aws_security_group.SG-test.id     # Here is the problem
        enable_internet_access              = true
        enable_maintenance_mode             = true
        user_enabled_as_local_administrator = false
    }
}

Debug Output

There are 2 problems. Both are related to the parameter custom_security_group_id.

• The first problem occurs when the parameter is commented: terraform1.log
• The second occurs when the parameter is uncommented: terraform2.log

Panic Output

n/a

Expected Behavior

In both scenarios, the AWS Workspaces Directory should have been registered with the following parameter:

workspace_creation_properties {
        enable_internet_access              = true
        enable_maintenance_mode             = true
        user_enabled_as_local_administrator = false
    }

According to the Official API documentation of AWS and of the AWS provider, all the parameters provided are flagged optional.

Actual Behavior

The AWS Workspaces Directory is registered but all the parameters given are not taken into account. And because of the error, terraform stops to deploy others resources.

Steps to Reproduce

1. Create a directory in AWS Directory Service
2. Create a aws_workspaces_directory, first WITH then WITHOUT a custom_security_group_id
3. terraform apply

Important Factoids

References

• aws_workspaces_directory: Workspaces Creation Properties #14577
• Add support for WorkspaceCreationProperties #14332

[Tensho]

Hi @fgrebot, Thank you for the feedback. I'll check this issue the next week more precisely as initial directory creation with custom SG should work without any snags. The only failing case I met before – SG and directory belong to different VPCs. Just curious, have you seen the note about custom_security_group_id ?

Here is what I've got from AWS Support regarding custom SG and default OU update within API:

Unfortunately, it is currently not possible to submit the API using CLI or another SDK which clears the values for these two fields. This issue has been raised by other customers in the past and the service team have advised they are looking into incorporating this functionality.

To clear these values from the registered directory, you will need to perform the action from the AWS Console. I understand this is not ideal and at this stage I am unable to confirm whether this will be incorporated into the API call, but if it is, I am currently unable to confirm when it will become available.

[elreydetoda]

Hi @Tensho, I get the same error as @fgrebot and I do it in the opposite order compared to what @fgrebot said.

2. Create a aws_workspaces_directory, first WITH then WITHOUT a custom_security_group_id

So, initially I destroy everything to make sure there is nothing residual left in my environment. Then I comment out the custom_security_group_id and the default_ou field and I get the same error with the

minimum field size of 11, ModifyWorkspaceCreationPropertiesInput.WorkspaceCreationProperties.CustomSecurityGroupId.

Also, kind of related, and I know I will probably have to submit another issue for this, but I get another error when I don't specify a default OU as well. Instead of it failing on pre-validating ( because it would be hard to validate against a remote string to ensure the OU exists ) it just gives me:

InvalidParameterValuesException: An invalid or out-of-range value was supplied for the input parameter.

I can see in the request that gets made by terraform that it is passing the value, because this is the request it make ( x's don't exactly match size of what they are replacing ):

{"ResourceId":"d-xxxxxxxxx","WorkspaceCreationProperties":{"CustomSecurityGroupId":"sg-xxxxxxxxxxx","DefaultOu":"","Enab
leInternetAccess":true,"EnableMaintenanceMode":true,"UserEnabledAsLocalAdministrator":true}}

More details

This is my resource getting created initially ( with them both commented out and it fails with the same error as @fgrebot and as you can probably see I am just pulling straight from the example in the docs):

resource "aws_workspaces_directory" "example" {
  directory_id = data.terraform_remote_state.directory.outputs.directory_id
  subnet_ids = [
    data.terraform_remote_state.class_subnets.outputs.subnet_3_id,
    data.terraform_remote_state.class_subnets.outputs.subnet_4_id
  ]

  self_service_permissions {
    change_compute_type  = true
    increase_volume_size = true
    rebuild_workspace    = true
    restart_workspace    = true
    switch_running_mode  = true
  }

  workspace_creation_properties {
    # custom_security_group_id            = aws_security_group.allow_workspaces_out.id
    # default_ou                          = "OU=AWS,DC=Workgroup,DC=Example,DC=com"
    enable_internet_access              = true
    enable_maintenance_mode             = true
    user_enabled_as_local_administrator = true
  }

  depends_on = [
    aws_iam_role_policy_attachment.workspaces_default_service_access,
    aws_iam_role_policy_attachment.workspaces_default_self_service_access
  ]
}

Then I un-comment out the custom_security_group_id and I no longer get that error because I create an SG with this:

resource "aws_security_group" "allow_workspaces_out" {
  name        = "workspaces_default"
  description = "Allow all traffic out from workspaces"
  vpc_id      = data.terraform_remote_state.class_vpc.outputs.vpc_id

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "workspaces_default"
  }
}

but then I get the error with the Invalid parameter value thing that I mentioned above, so I un-comment the default_ou field and everything works successfully.

[Tensho]

@elreydetoda Thank you for the detailed explanation and steps to reproduce. The fix is on the road.

[elreydetoda]

Awesome! Thank you @Tensho ! I wish I could have helped by submitting code, but I don't know Go pretty much at all 😅

Maybe one day, but thank you so much for helping out with this fix 🙏

[ghost]

This has been released in version 3.21.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!