Skip to content

[Bug]: aws_vpc_endpoint does not remove custom policy from resource if removed from Terraform configΒ #40973

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
[Bug]: aws_vpc_endpoint does not remove custom policy from resource if removed from Terraform config#40973
Labels
bugAddresses a defect in current functionality.service/vpcIssues and PRs that pertain to the vpc service.
@mhemani-reach

Description

@mhemani-reach
mhemani-reach
opened on Jan 16, 2025

Terraform Core Version

1.5.7

AWS Provider Version

5.84.0, 5.67.0

Affected Resource(s)

  • aws_vpc_endpoint

Expected Behavior

If the policy parameter is removed from the aws_vpc_endpoint resource, it should remove the custom policy from the endpoint and revert to the default policy. This is the behaviour when modifying the endpoint on the AWS web console.

Actual Behavior

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed

Relevant Error/Panic Output Snippet



Terraform Configuration Files


resource "aws_vpc_endpoint" "this" {
  vpc_id = var.vpc_id
  service_name = "com.amazonaws.us-east-1.elasticmapreduce"
  vpc_endpoint_type = "Interface"
  security_group_ids = [aws_security_group.vpc-endpoints.id]
  subnet_ids = var.private_subnets
  private_dns_enabled = true
  tags = {
    Name = "${module.vpc.name}-emr-endpoint"
  }
  policy = data.aws_iam_policy_document.vpc-endpoint-policy.json
}

resource "aws_security_group" "vpc-endpoints" {
 name        = "vpc-endpoints"
  description = "Security group for VPC Endpoints"
  vpc_id      = var.vpc_id
  tags = {
    "Name" = "${module.vpc.name}-endpoints"
  }
  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_vpc_security_group_ingress_rule" "vpc-endpoints-ingress" {
  description       = "Allow traffic to VPC endpoints"
  security_group_id = aws_security_group.vpc-endpoints.id
  cidr_ipv4         = "10.0.0.0/8"
  from_port         = 443
  to_port           = 443
  ip_protocol       = "tcp"
}

data "aws_iam_policy_document" "vpc-endpoint-policy" {
  statement {
    sid       = "DenyIfNotFromVpc"
    effect    = "Deny"
    actions   = ["*"]
    resources = ["*"]
    principals {
      type        = "*"
      identifiers = ["*"]
    }
    condition {
      test     = "StringNotEquals"
      values   = [var.vpc_id]
      variable = "aws:sourceVpc"
    }
  }
}


Steps to Reproduce


    

  1. Apply terraform to create the VPC endpoint with the custom policy
    2. 

  2. Comment out or remove the policy parameter from the aws_vpc_endpoint resource and replan
    3. 

  3. Subsequent terraform plan will not show any diff, even though the policy parameter has been removed from the endpoint. This also has the same result if the aws_iam_policy_document data source is entirely removed from config
    4. 



Debug Output


No response


Panic Output


No response


Important Factoids


    

  • Policy can still be modified, Terraform detects the changes to the content of the policy data source and updates the endpoint policy accordingly.
    • 



References


No response


Would you like to implement a fix?


No
Metadata
Assignees
No one assigned
    Labels
    bugAddresses a defect in current functionality.service/vpcIssues and PRs that pertain to the vpc service.
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions