aws_default_vpc broken in GovCloud regions, attempting to set enable_network_address_usage_metrics to true

[lorengordon]

@ewbankkit @bschaatsbergen #27165 breaks aws_default_vpc in GovCloud regions, because it attempts to set enable_network_address_usage_metrics to true...

Minimal reproducing config:

resource "aws_default_vpc" "default" {}

Proof I'm in GovCloud, note the partition in the ARN:

❯ aws sts get-caller-identity
{
    "UserId": "AROALredacted:botocore-session-1668623771",
    "Account": "redacted",
    "Arn": "arn:aws-us-gov:sts::redacted:assumed-role/redacted/botocore-session-1668623771"
}

Proof it is attempting to set enable_network_address_usage_metrics = true:

❯ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_default_vpc.default will be created
  + resource "aws_default_vpc" "default" {
      + arn                                  = (known after apply)
      + cidr_block                           = (known after apply)
      + default_network_acl_id               = (known after apply)
      + default_route_table_id               = (known after apply)
      + default_security_group_id            = (known after apply)
      + dhcp_options_id                      = (known after apply)
      + enable_classiclink                   = (known after apply)
      + enable_classiclink_dns_support       = (known after apply)
      + enable_dns_hostnames                 = true
      + enable_dns_support                   = true
      + enable_network_address_usage_metrics = true
      + existing_default_vpc                 = (known after apply)
      + force_destroy                        = false
      + id                                   = (known after apply)
      + instance_tenancy                     = (known after apply)
      + ipv6_association_id                  = (known after apply)
      + ipv6_cidr_block                      = (known after apply)
      + ipv6_cidr_block_network_border_group = (known after apply)
      + main_route_table_id                  = (known after apply)
      + owner_id                             = (known after apply)
      + tags_all                             = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_default_vpc.default: Creating...
aws_default_vpc.default: Still creating... [10s elapsed]
aws_default_vpc.default: Still creating... [20s elapsed]
aws_default_vpc.default: Still creating... [30s elapsed]
aws_default_vpc.default: Still creating... [40s elapsed]
aws_default_vpc.default: Still creating... [50s elapsed]
aws_default_vpc.default: Still creating... [1m0s elapsed]
aws_default_vpc.default: Still creating... [1m10s elapsed]
aws_default_vpc.default: Still creating... [1m20s elapsed]
aws_default_vpc.default: Still creating... [1m30s elapsed]
aws_default_vpc.default: Still creating... [1m40s elapsed]
aws_default_vpc.default: Still creating... [1m50s elapsed]
aws_default_vpc.default: Still creating... [2m0s elapsed]
aws_default_vpc.default: Still creating... [2m10s elapsed]
aws_default_vpc.default: Still creating... [2m20s elapsed]
aws_default_vpc.default: Still creating... [2m30s elapsed]
aws_default_vpc.default: Still creating... [2m40s elapsed]
aws_default_vpc.default: Still creating... [2m50s elapsed]
aws_default_vpc.default: Still creating... [3m0s elapsed]
aws_default_vpc.default: Still creating... [3m10s elapsed]
aws_default_vpc.default: Still creating... [3m20s elapsed]
aws_default_vpc.default: Still creating... [3m30s elapsed]
aws_default_vpc.default: Still creating... [3m40s elapsed]
aws_default_vpc.default: Still creating... [3m50s elapsed]
aws_default_vpc.default: Still creating... [4m0s elapsed]
aws_default_vpc.default: Still creating... [4m10s elapsed]
aws_default_vpc.default: Still creating... [4m20s elapsed]
aws_default_vpc.default: Still creating... [4m30s elapsed]
aws_default_vpc.default: Still creating... [4m40s elapsed]
aws_default_vpc.default: Still creating... [4m50s elapsed]
aws_default_vpc.default: Still creating... [5m0s elapsed]
╷
│ Error: error waiting for EC2 VPC (vpc-redacted) EnableNetworkAddressUsageMetrics update: timeout while waiting for state to become 'true' (last state: 'false', timeout: 5m0s)
│
│   with aws_default_vpc.default,
│   on main.tf line 1, in resource "aws_default_vpc" "default":
│    1: resource "aws_default_vpc" "default" {}

Version info:

❯ terraform version
Terraform v1.3.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.39.0

Originally posted by @lorengordon in #27165 (comment)

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[lorengordon]

Notionally, I could workaround this by setting explicitly:

  enable_network_address_usage_metrics = false

However, I am using the terraform-aws-vpc community module, and it is not yet exposing that argument, since doing so requires a major provider version update, which technically makes it a breaking change...

• feat!: Support enabling NAU metrics in "aws_vpc" resource terraform-aws-modules/terraform-aws-vpc#838

[bschaatsbergen]

Thanks for raising this issue @lorengordon, I've flagged it to some internal maintainers as I'll be out on holidays for the coming 3 weeks.

[lorengordon]

@bschaatsbergen @ewbankkit fwiw, this is also broken for moto and localstack, since (currently) their mocked response when describing the VPC attributes does not include enableNetworkAddressUsageMetrics. I suspect this also breaks the iso and iso-b partitions. Probably aws-cn also.

[lorengordon]

Still looking for a way ahead or a workaround on this one. We've been stuck pinning to v4.34.0 as a result of this issue. I just tested v4.55.0 and it shows the same problem.

[bschaatsbergen]

cc @ewbankkit

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.