Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: resource/aws_vpc_endpoint_service arg supported_regions is not idempotent #40667

Open
consoull opened this issue Dec 20, 2024 · 1 comment
Labels
bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. service/elbv2 Issues and PRs that pertain to the elbv2 service. service/vpc Issues and PRs that pertain to the vpc service.

Comments

@consoull
Copy link

consoull commented Dec 20, 2024

Terraform Core Version

1.10.3

AWS Provider Version

5.82.2

Affected Resource(s)

  • aws_vpc_endpoint_service

Expected Behavior

Consecutive terraform apply should be idempotent if the underlying resources were not tampered with outside of the terraform statefiles view.

Actual Behavior

Terraform applied a aws_vpc_endpoint_service with the supported_regions arg containing regions outside the current provider region. Terraform apply is successful and the statefile only shows the regions supplied to supported_regions. Consecutive apply's fail until the user adds the current provider region to the list of supported_regions or deletes the vpc endpoint service resource.

Relevant Error/Panic Output Snippet

$ terraform apply
...

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated
with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_vpc_endpoint_service.test will be updated in-place
  ~ resource "aws_vpc_endpoint_service" "test" {
        id                             = "vpce-svc-0599ad7dfcbdc50ca"
      ~ supported_regions              = [
          - "us-east-2",
            # (1 unchanged element hidden)
        ]
        tags                           = {}
        # (15 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_vpc_endpoint_service.test: Modifying... [id=vpce-svc-0599ad7dfcbdc50ca]
╷
│ Error: updating EC2 VPC Endpoint Service (vpce-svc-0599ad7dfcbdc50ca): operation error EC2: ModifyVpcEndpointServiceConfiguration, https response error StatusCode: 400, RequestID: 8fb31ef5-36a8-4175-8e96-40d356668b26, api error InvalidParameter: Cannot remove service region us-east-2 from vpce-svc-0599ad7dfcbdc50ca
│ 
│   with aws_vpc_endpoint_service.test,
│   on main.tf line 27, in resource "aws_vpc_endpoint_service" "test":
│   27: resource "aws_vpc_endpoint_service" "test" {
│ 
╵

Terraform Configuration Files

terraform {
  required_version = ">= 1.0.0, < 2.0.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.82"
    }
  }
}

provider "aws" {
  region = "us-east-2"
}

data "aws_vpc" "default" {
  default = true
}

data "aws_subnets" "default" {
  filter {
    name   = "vpc-id"
    values = [data.aws_vpc.default.id]
  }
}

resource "aws_vpc_endpoint_service" "test" {
  acceptance_required        = true
  supported_regions          = null
  network_load_balancer_arns = [aws_lb.test.arn]
}

resource "aws_lb" "test" {
  name               = "test-lb"
  load_balancer_type = "network"
  subnets            = data.aws_subnets.default.ids
}

Steps to Reproduce

Run consecutive terraform apply commands with the provided terraform config file.

Debug Output

No response

Panic Output

No response

Important Factoids

It appears AWS implicitly adds the current region to the list of supported regions and will not allow it to be removed. This causes the terraform statefile and AWS state to be out of sync.

References

No response

Would you like to implement a fix?

No

@consoull consoull added the bug Addresses a defect in current functionality. label Dec 20, 2024
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/elbv2 Issues and PRs that pertain to the elbv2 service. service/vpc Issues and PRs that pertain to the vpc service. needs-triage Waiting for first response or review from a maintainer. labels Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. service/elbv2 Issues and PRs that pertain to the elbv2 service. service/vpc Issues and PRs that pertain to the vpc service.
Projects
None yet
Development

No branches or pull requests

1 participant