From cbc985edc6d038b4add7b2cfc6b7c80ea901d5ce Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Tue, 1 Feb 2022 17:39:57 -0500
Subject: [PATCH 1/3] r/aws_ec2_client_vpn_endpoint:
 'connection_log_options.cloudwatch_log_stream' is Computed.

---
 internal/service/ec2/client_vpn_endpoint.go      |  1 +
 internal/service/ec2/client_vpn_endpoint_test.go | 15 +++++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/internal/service/ec2/client_vpn_endpoint.go b/internal/service/ec2/client_vpn_endpoint.go
index 408a3d68068d..347df2977b31 100644
--- a/internal/service/ec2/client_vpn_endpoint.go
+++ b/internal/service/ec2/client_vpn_endpoint.go
@@ -134,6 +134,7 @@ func ResourceClientVPNEndpoint() *schema.Resource {
 						"cloudwatch_log_stream": {
 							Type:     schema.TypeString,
 							Optional: true,
+							Computed: true,
 						},
 						"enabled": {
 							Type:     schema.TypeBool,
diff --git a/internal/service/ec2/client_vpn_endpoint_test.go b/internal/service/ec2/client_vpn_endpoint_test.go
index b4a00cf43ad4..d0145638f27c 100644
--- a/internal/service/ec2/client_vpn_endpoint_test.go
+++ b/internal/service/ec2/client_vpn_endpoint_test.go
@@ -450,6 +450,16 @@ func testAccClientVPNEndpoint_withConnectionLogOptions(t *testing.T) {
 		Providers:    acctest.Providers,
 		CheckDestroy: testAccCheckClientVPNEndpointDestroy,
 		Steps: []resource.TestStep{
+			{
+				Config: testAccEc2ClientVpnEndpointConfigWithConnectionLogOptions(rName, 0),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckClientVPNEndpointExists(resourceName, &v),
+					resource.TestCheckResourceAttr(resourceName, "connection_log_options.#", "1"),
+					resource.TestCheckResourceAttrPair(resourceName, "connection_log_options.0.cloudwatch_log_group", logGroupResourceName, "name"),
+					resource.TestCheckResourceAttrSet(resourceName, "connection_log_options.0.cloudwatch_log_stream"),
+					resource.TestCheckResourceAttr(resourceName, "connection_log_options.0.enabled", "true"),
+				),
+			},
 			{
 				Config: testAccEc2ClientVpnEndpointConfigWithConnectionLogOptions(rName, 1),
 				Check: resource.ComposeTestCheckFunc(
@@ -856,7 +866,8 @@ resource "aws_cloudwatch_log_stream" "test2" {
 }
 
 locals {
-  index = %[2]d
+  log_stream_index = %[2]d
+  log_stream       = local.log_stream_index == 0 ? null : ( local.log_stream_index == 1 ? aws_cloudwatch_log_stream.test1.name : aws_cloudwatch_log_stream.test2.name)
 }
 
 resource "aws_ec2_client_vpn_endpoint" "test" {
@@ -871,7 +882,7 @@ resource "aws_ec2_client_vpn_endpoint" "test" {
   connection_log_options {
     enabled               = true
     cloudwatch_log_group  = aws_cloudwatch_log_group.test.name
-    cloudwatch_log_stream = local.index == 1 ? aws_cloudwatch_log_stream.test1.name : aws_cloudwatch_log_stream.test2.name
+    cloudwatch_log_stream = local.log_stream
   }
 
   tags = {

From 5673970ea9c915e527b0d870bdcac7c9129ed395 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Tue, 1 Feb 2022 17:46:18 -0500
Subject: [PATCH 2/3] Add CHANGELOG entry.

---
 .changelog/22891.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/22891.txt

diff --git a/.changelog/22891.txt b/.changelog/22891.txt
new file mode 100644
index 000000000000..29f0ae9cdcc2
--- /dev/null
+++ b/.changelog/22891.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_ec2_client_vpn_endpoint: `connection_log_options.cloudwatch_log_stream` argument is Computed, preventing spurious resource diffs
+```
\ No newline at end of file

From beeb53e1873c4f5ff7ad5f54dfb6e194e5db42d6 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Tue, 1 Feb 2022 17:47:07 -0500
Subject: [PATCH 3/3] Fix terrafmt error.

---
 internal/service/ec2/client_vpn_endpoint_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/service/ec2/client_vpn_endpoint_test.go b/internal/service/ec2/client_vpn_endpoint_test.go
index d0145638f27c..fa09f58ebb09 100644
--- a/internal/service/ec2/client_vpn_endpoint_test.go
+++ b/internal/service/ec2/client_vpn_endpoint_test.go
@@ -867,7 +867,7 @@ resource "aws_cloudwatch_log_stream" "test2" {
 
 locals {
   log_stream_index = %[2]d
-  log_stream       = local.log_stream_index == 0 ? null : ( local.log_stream_index == 1 ? aws_cloudwatch_log_stream.test1.name : aws_cloudwatch_log_stream.test2.name)
+  log_stream       = local.log_stream_index == 0 ? null : (local.log_stream_index == 1 ? aws_cloudwatch_log_stream.test1.name : aws_cloudwatch_log_stream.test2.name)
 }
 
 resource "aws_ec2_client_vpn_endpoint" "test" {