aws_transfer_server does not currently support endpoint_type: "VPC"

[hartsick]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.20
+ provider.aws v2.44.0

Affected Resource(s)

• aws_transfer_server

Terraform Configuration Files

resource "aws_transfer_server" "main" {
  identity_provider_type = "SERVICE_MANAGED"
  logging_role                 =  aws_iam_role.transfer.arn
  endpoint_type              = "VPC"

  tags = {
    NAME = "transfer-server"
  }

  endpoint_details {
    vpc_endpoint_id = aws_vpc_endpoint.transfer.id
  }
}

Debug Output

Error: expected endpoint_type to be one of [PUBLIC VPC_ENDPOINT], got VPC

Panic Output

Expected Behavior

Updated endpoint type to VPC.

Actual Behavior

Produced error above: Error: expected endpoint_type to be one of [PUBLIC VPC_ENDPOINT], got VPC

Steps to Reproduce

1. Create publicly-available Transfer server (& terraform apply):

resource "aws_iam_role" "transfer" {
  name = "transfer-server-iam-role"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Principal": {
            "Service": "transfer.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
        }
    ]
}
EOF
}

resource "aws_transfer_server" "main" {
  identity_provider_type = "SERVICE_MANAGED"
  logging_role           = "${aws_iam_role.transfer.arn}"
  endpoint_type          = "PUBLIC"

  tags = {
    NAME = "transfer-server"
  }
}

2. Create dependencies for the changes we're about to make in the AWS console (& terraform apply):

variable "aws_az1" {
  description = "AWS availability zone 1"
  default     = "us-east-1a"
}

variable "aws_az2" {
  description = "AWS availability zone 2"
  default     = "us-east-1b"
}

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = true
}

resource "aws_subnet" "public" {
  vpc_id = "${aws_vpc.main.id}"
  cidr_block = "10.0.0.0/16"
  availability_zone = "${var.aws_az2}"

  tags = {
    name = "cmr-datashare-public"
  }
}

resource "aws_internet_gateway" "default" {
  vpc_id = "${aws_vpc.main.id}"
}

resource "aws_route_table" "internet_access" {
  vpc_id = "${aws_vpc.main.id}"

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = "${aws_internet_gateway.default.id}"
  }
}

resource "aws_route_table_association" "subnet_route_table" {
  subnet_id = "${aws_subnet.public.id}"
  route_table_id = "${aws_route_table.internet_access.id}"
}

resource  "aws_eip" "sftp" {
  vpc = true
  depends_on = [
    "aws_internet_gateway.default"
  ]
}

# Stays the same:
resource "aws_iam_role" "transfer" {
  name = "transfer-server-iam-role"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Principal": {
            "Service": "transfer.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
        }
    ]
}
EOF
}

resource "aws_transfer_server" "main" {
  identity_provider_type = "SERVICE_MANAGED"
  logging_role           = "${aws_iam_role.transfer.arn}"
  endpoint_type          = "PUBLIC"

  tags = {
    NAME = "transfer-server"
  }
}

3. In AWS console, visit your Transfer server. Stop instance and click "edit", change to be of type "VPC". Associate the resources you made in the previous step.

4. Save changes to server and start again.

5. If you now terraform apply again, you'll see that the endpoint type for the aws_transfer_server wants to change as follows: ~ endpoint_type = "VPC" -> "PUBLIC". If you try to change the terraform config to endpoint_type = "VPC" then you get the following error: Error: expected endpoint_type to be one of [PUBLIC VPC_ENDPOINT], got VPC.

Important Factoids

It seems like AWS is encouraging people to use the "VPC" endpoint instead of the "VPC_ENDPOINT" endpoint type in the AWS Console and the docs (see reference below). The VPC_ENDPOINT is not available as an option if you create the Transfer server from scratch in the AWS console.

References

• AWS Docs: Creating an Internet-Facing Endpoint for Your SFTP Server
• AWS Docs: Moving away from VPC_ENDPOINT: "If you have an existing AWS SFTP server in a VPC displayed as VPC_ENDPOINT, we recommend that you modify it to the new VPC endpoint type. With this new endpoint type, you no longer need to use a Network Load Balancer (NLB) to associate Elastic IP addresses with your server's endpoint. Also, you can use VPC security groups to restrict access to your server's endpoint. However, you can continue to use the VPC_ENDPOINT endpoint type as needed."

[marcoreni]

Related to #11569

[BrokenFlame]

Is there an ETA on this issue? It's not fixed from what I can see.

I'm using Terraform 0.12 with the latest modules (A fresh Terraform Init on Wednesday 26, August 2020)

The error after importing the resource and then trying to apply is:

expected endpoint_type to be one of [PUBLIC VPC_ENDPOINT], got VPC

[marcoreni]

@BrokenFlame this issue will be resolved by #12599

[bflad]

Support for the VPC endpoint type (including additional endpoint_details arguments) has been merged and will release with version 3.8.0 of the Terraform AWS Provider, likely later today. Thanks to @sshearn for the implementation. 👍

[ghost]

This has been released in version 3.8.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!