Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_vpc_endpoint get recreated on each apply on AWS PrivateLink unsuported regions. #3777

Closed
rebelthor opened this issue Mar 14, 2018 · 8 comments
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.

Comments

@rebelthor
Copy link

rebelthor commented Mar 14, 2018

Problem summary

Creating a VPC Endpoint in regions that don't support AWS PrivateLink results in resource recreation on each subsequent apply due to missing AWS parameter VpcEndpointType:Gateway in the AWS API reply. While the resource is recreated as expected, this is causing unnecessary resource recreation on each apply operation.

Terraform Version

$ terraform -v
Terraform v0.11.3

Affected Resource(s)

  • aws_vpc_endpoint

Terraform Configuration Files

resource "aws_vpc_endpoint" "private-s3" {
  vpc_id       = "${aws_vpc.main.id}"
  service_name = "com.amazonaws.${var.aws_region}.s3"

  # Associate with all private and public route tables
  route_table_ids = ["${aws_route_table.main-private.*.id}", "${aws_route_table.main-public.*.id}"]

Terraform Output

      id:                         "vpce-xxxx" => <computed> (forces new resource)
      cidr_blocks.#:              "1" => <computed>
      dns_entry.#:                "0" => <computed>
      network_interface_ids.#:    "0" => <computed>
      policy:                     "{\"Statement\":[{\"Action\":\"*\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Resource\":\"*\"}],\"Version\":\"2008-10-17\"}" => <computed>
      prefix_list_id:             "pl-aaaaa" => <computed>
      private_dns_enabled:        "false" => "false"
      route_table_ids.#:          "2" => "2"
      route_table_ids.1674546173: "rtb-xxx" => "rtb-xxx"
      route_table_ids.3081440486: "rtb-yyy" => "rtb-yyy"
      security_group_ids.#:       "0" => <computed>
      service_name:               "com.amazonaws.eu-west-3.s3" => "com.amazonaws.eu-west-3.s3"
      state:                      "available" => <computed>
      subnet_ids.#:               "0" => <computed>
      vpc_endpoint_type:          "" => "Gateway" (forces new resource)
      vpc_id:                     "vpc-xxx" => "vpc-xxx"


Plan: 1 to add, 0 to change, 1 to destroy.

Expected Behavior

We would expect terraform and the AWS provider to ignore this difference and assume the Gateway Type where this is not explicitly returned.

Actual Behavior

The resource gets modified on every apply.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply several times on a AWS PrivateLink non-suported region. Example region: Paris: (eu-west-3)

The current list of supported regions are: US East (N. Virginia), US East (Ohio), US West (Oregon), US West (N. California), EU (London), EU (Ireland), EU (Frankfurt), Canada (Central), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo) and South America (São Paulo)

Any other region (including China and GovCloud) would show this behavior.

Important Factoids

Response from CLI on supported region:

            "PolicyDocument": "{\\"Version\\":\\"2008-10-17\\",\\"Statement\\":[{\\"Effect\\":\\"Allow\\",\\"Principal\\":\\"*\\",\\"Action\\":\\"*\\",\\"Resource\\":\\"*\\"}]}",
            "VpcId": "vpc-1234567",
            "NetworkInterfaceIds": [],
            "SubnetIds": [],
            "PrivateDnsEnabled": false,
            "State": "available",
            "ServiceName": "com.amazonaws.us-east-1.s3",
            "RouteTableIds": [
                "rtb-xxx",
                "rtb-yyy",
                "rtb-zzz"
            ],
            "Groups": [],
            "VpcEndpointId": "vpce-aaaaaaa",
            "VpcEndpointType": "Gateway",
            "CreationTimestamp": "2016-10-04T11:52:22Z",
            "DnsEntries": []
        }

Response from unsupported region:

{
    "VpcEndpoints": [
        {
            "PolicyDocument": "{\\"Version\\":\\"2008-10-17\\",\\"Statement\\":[{\\"Effect\\":\\"Allow\\",\\"Principal\\":\\"*\\",\\"Action\\":\\"*\\",\\"Resource\\":\\"*\\"}]}",
            "VpcId": "vpc-aaaaaa",
            "State": "available",
            "ServiceName": "com.amazonaws.eu-west-3.s3",
            "RouteTableIds": [
                "rtb-xxx",
                "rtb-yyy",
                "rtb-zzz"
            ],
            "VpcEndpointId": "vpce-rrrrrrrr",
            "CreationTimestamp": "2018-03-14T09:01:37Z"
        },
...

This has been confirmed with the AWS support as can be seen from the following quote:

Hello Daniel,

Thank you for contacting AWS Premium Support, my name is John and I will be assisting you today.

I understand from your correspondence the AWS CLI command "aws ec2 describe-vpc-endpoints" does not include the the attribute "VpcEndpointType:Gateway".

I have also tested this in the eu-west-3 Paris region and I can also confirm the same response.

From further investigation I can see the reason the "VpcEndpointType:Gateway" attribute is not present in eu-west-3 Paris region is due to the fact that AWS Private Link is currently not available in eu-west-3 Paris.

AWS PrivateLink is available in US East (N. Virginia), US East (Ohio), US West (Oregon), US West (N. California), EU (London), EU (Ireland), EU (Frankfurt), Canada (Central), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo) and South America (São Paulo) regions.

-- https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html

Within the eu-west-3 Paris region there is only one VPC Endpoint type, which is "Gateway". As there is only one type it is not specified.

All other regions have that have AWS Private Link have two types of endpoints: 1) Interface (AWS Private Link) and 2) Gateway endpoints. This is why you will see the attribute "VpcEndpointType" specified in other regions.

@rebelthor rebelthor changed the title aws_vpc_endpoint get modified on each apply on AWS PrivateLink unsuported regions. aws_vpc_endpoint get recreated on each apply on AWS PrivateLink unsuported regions. Mar 14, 2018
@ewbankkit
Copy link
Contributor

We may need a CustomizeDiff function here to suppress this.

@bflad
Copy link
Contributor

bflad commented Mar 14, 2018

@rebelthor does this configuration work with v1.11.0 of the AWS provider?

@bflad bflad added bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. waiting-response Maintainers are waiting on response from community or contributor. labels Mar 14, 2018
@rebelthor
Copy link
Author

@bflad : This reproduces on the AWS provider version v1.11.0:

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "random" (1.1.0)...
- Downloading plugin for provider "template" (1.0.0)...
- Downloading plugin for provider "aws" (1.11.0)...
- Downloading plugin for provider "null" (1.0.0)...

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.

* provider.null: version = "~> 1.0"
* provider.random: version = "~> 1.1"
* provider.template: version = "~> 1.0"

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

...

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

-/+ module.vpc.aws_vpc_endpoint.private-s3 (new resource required)
      id:                         "vpce-xxxx" => <computed> (forces new resource)
      cidr_blocks.#:              "1" => <computed>
      dns_entry.#:                "0" => <computed>
      network_interface_ids.#:    "0" => <computed>
      policy:                     "{\"Statement\":[{\"Action\":\"*\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Resource\":\"*\"}],\"Version\":\"2008-10-17\"}" => <computed>
      prefix_list_id:             "pl-yyyy" => <computed>
      private_dns_enabled:        "false" => "false"
      route_table_ids.#:          "2" => "2"
      route_table_ids.1674546173: "rtb-xxxx" => "rtb-xxxx"
      route_table_ids.3081440486: "rtb-yyyy" => "rtb-yyyy"
      security_group_ids.#:       "0" => <computed>
      service_name:               "com.amazonaws.eu-west-3.s3" => "com.amazonaws.eu-west-3.s3"
      state:                      "available" => <computed>
      subnet_ids.#:               "0" => <computed>
      vpc_endpoint_type:          "" => "Gateway" (forces new resource)
      vpc_id:                     "vpc-xxxx" => "vpc-xxxx"


Plan: 1 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

Thank you!

@bflad bflad removed the waiting-response Maintainers are waiting on response from community or contributor. label Mar 15, 2018
@ewbankkit
Copy link
Contributor

With the latest code in master I can't reproduce this so I believe it's fixed in #3317.
@rebelthor Could you build the provider from master and verify?

@ewbankkit
Copy link
Contributor

@rebelthor Could you please try and reproduce with version 1.12.0 of the AWS provider?
I believe the underlying bug has been fixed - https://github.com/terraform-providers/terraform-provider-aws/blob/master/CHANGELOG.md#1120-march-23-2018.

@rebelthor
Copy link
Author

@ewbankkit : I confirm the 1.12.0 version of the AWS provider fixes this issue. Thank you!

@ghost
Copy link

ghost commented Apr 7, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Development

No branches or pull requests

3 participants