Skip to content

[Bug]: aws_api_gateway_domain_name Endpoint Configuration change from EDGE to PRIVATE fails with Status Code 400 #40692

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
[Bug]: aws_api_gateway_domain_name Endpoint Configuration change from EDGE to PRIVATE fails with Status Code 400#40692
Labels
bugAddresses a defect in current functionality.service/apigatewayIssues and PRs that pertain to the apigateway service.service/iamIssues and PRs that pertain to the iam service.
@rongriffinint

Description

@rongriffinint
rongriffinint
opened on Dec 24, 2024

Terraform Core Version

1.10.1

AWS Provider Version

5.82.2

Affected Resource(s)

  • aws_api_gateway_domain_name

Expected Behavior

API Gateway Domain Name Endpoint configuration is updated from type EDGE to PRIVATE.

Actual Behavior

Resource update fails with status code 400 Bad Request.

Relevant Error/Panic Output Snippet

Error: updating API Gateway Domain Name (...): operation error API Gateway: UpdateDomainName, https response error StatusCode: 400, RequestID: 2e7c0359-ccda-4f8d-b224-91114a53064d, BadRequestException: /endpointConfiguration/types/0 Invalid request input

Terraform Configuration Files

provider "aws" {
  region = "us-east-1"
  default_tags {
    tags = module.base_tags.tags
  }
}

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }

  backend "s3" {
    bucket         = "my-bucket"
    key            = "my/bucket/key"
    region         = "us-east-1"
    dynamodb_table = "tf-lock"
  }
}

Steps to Reproduce

Original domain name Terraform:

resource "aws_api_gateway_domain_name" "live_gateway_domain" {
  depends_on      = [aws_api_gateway_stage.live, module.certificate]
  domain_name     = local.domain_name
  certificate_arn = module.certificate.certificate_arn
  security_policy = "TLS_1_2"
}

Switching domain name to use newly added Private Custom Domains as follows:

resource "aws_api_gateway_domain_name" "live_gateway_domain" {
  depends_on      = [aws_api_gateway_stage.live, module.certificate]
  domain_name     = local.domain_name
  certificate_arn = module.certificate.certificate_arn
  security_policy = "TLS_1_2"

  policy = data.aws_iam_policy_document.private_gateway_custom_domain_resource_policy.json 

  endpoint_configuration {
    types = ["PRIVATE"] 
  }
}

data "aws_iam_policy_document" "private_gateway_custom_domain_resource_policy" {
  version = "2012-10-17"
  statement {
    principals {
      identifiers = ["*"]
      type        = "AWS"
    }
    effect    = "Deny"
    actions   = ["execute-api:Invoke"]
    resources = ["execute-api:/domainnames/*"]
    condition {
      test     = "StringNotEquals"
      values   = [data.aws_vpc_endpoint.account_execute_api.id]
      variable = "aws:sourceVpce"
    }
  }

  statement {
    principals {
      identifiers = ["*"]
      type        = "AWS"
    }
    effect    = "Allow"
    actions   = ["execute-api:Invoke"]
    resources = ["execute-api:/domainnames/*"]
  }
}

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

Metadata

Assignees

No one assigned

    Labels

    bugAddresses a defect in current functionality.service/apigatewayIssues and PRs that pertain to the apigateway service.service/iamIssues and PRs that pertain to the iam service.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions