[Bug]: aws_vpc_endpoint resource: private_dns_enabled effectively stuck on true.

[theipster]

Terraform Core Version

1.8.4

AWS Provider Version

5.51.0, 5.51.1

Affected Resource(s)

• aws_vpc_endpoint

Expected Behavior

The aws_vpc_endpoint.private_dns_enabled attribute should be respected, i.e. setting to false (or leaving undefined) should not attempt to create Route 53 resources.

Actual Behavior

Regardless of whether the aws_vpc_endpoint.private_dns_enabled attribute is set to true / false / undefined, it always attempts to create Route 53 resources.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

# variables.tf
variable "vpce_service_name" {
 type = string
}

# vpc.tf
resource "aws_vpc" "this" {
  cidr_block = "10.0.0.0/16"
}

# vpc_endpoint.tf
resource "aws_vpc_endpoint" "this" {
  service_name = var.vpce_service_name
  vpc_id       = aws_vpc.this.id

  vpc_endpoint_type = "Interface"
}

Optionally:

# route53.tf
resource "aws_route53_zone" "this" {
  name = join(".", reverse(split(".", aws_vpc_endpoint.this.service_name)))

  vpc {
    vpc_id = aws_vpc_endpoint.this.vpc_id
  }
}

Steps to Reproduce

Apply the above configuration with an arbitrary (unused) AWS VPC endpoint name, e.g.

terraform init
terraform apply -var "vpce_service_name=com.amazonaws.eu-west-2.iot.fleethub.api"

Debug Output

When executing the above configuration as-is, it produces the following error:

╷
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-2.iot.fleethub.api): operation error EC2: CreateVpcEndpoint, https response error StatusCode: 400, RequestID: <abcdef>, api error InvalidParameter: Enabling private DNS requires both enableDnsSupport and enableDnsHostnames VPC attributes set to true for vpc-<id>
│ 
│   with aws_vpc_endpoint.this,
│   on vpc_endpoint.tf line 1, in resource "aws_vpc_endpoint" "this":
│    1: resource "aws_vpc_endpoint" "this" {
│ 
╵

This error is unexpected, because enabling DNS for the VPC should not be required.

For science / completeness, one can additionally configure aws_vpc.enable_dns_hostnames = true and aws_vpc.enable_dns_support = true and re-run from scratch (e.g. using terraform test) to produce the subsequent error:

╷
│ Error: creating Route53 Hosted Zone (api.fleethub.iot.eu-west-2.amazonaws.com): operation error Route 53: CreateHostedZone, https response error StatusCode: 400, RequestID: <abcdef>, ConflictingDomainExists: The VPC vpc-<id> in region eu-west-2 has already been associated with the hosted zone <zone-id> with the same domain name.
│ 
│   with aws_route53_zone.this,
│   on route53.tf line 1, in resource "aws_route53_zone" "this":
│    1: resource "aws_route53_zone" "this" {
│ 
╵

which is still unexpected, because private DNS for the VPC endpoint was not requested.

Panic Output

No response

Important Factoids

Seems to be a regression with hashicorp/aws:5.51.0, because reverting to 5.50.0 does not have this problem. I've also reproduced the problem with 5.51.1 in the last few minutes, just in case. 🙂

I initially encountered the aws_route53_zone error described above, which is why I've included it in the issue description. It was only after further investigation that I realised it is probably unrelated to aws_route53_zone and instead related to aws_vpc_endpoint.

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[theipster]

Acceptance tests are actually failing too (related to #37628):

$ git checkout v5.50.0 --quiet

$ git show --oneline --no-patch --no-show-signature
f00a84434b (HEAD, tag: v5.50.0) Merge pull request #37518 from acwwat/d-aws_cloudfront_distribution-improve_origin_ssl_protocols_arg_desc

$ make testacc PKG=ec2 TESTS="TestAccVPCEndpoint_interfaceBasic" ACCTEST_TIMEOUT=10m
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.22.2 test ./internal/service/ec2/... -v -count 1 -parallel 20 -run='TestAccVPCEndpoint_interfaceBasic'  -timeout 10m
=== RUN   TestAccVPCEndpoint_interfaceBasic
=== PAUSE TestAccVPCEndpoint_interfaceBasic
=== CONT  TestAccVPCEndpoint_interfaceBasic
--- PASS: TestAccVPCEndpoint_interfaceBasic (70.64s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/ec2        70.792s

$ git checkout v5.51.0 --quiet

$ git show --oneline --no-patch --no-show-signature
50b6108103 (HEAD, tag: v5.51.0) Update CHANGELOG.md (Manual Trigger)

$ make testacc PKG=ec2 TESTS="TestAccVPCEndpoint_interfaceBasic" ACCTEST_TIMEOUT=10m
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.22.2 test ./internal/service/ec2/... -v -count 1 -parallel 20 -run='TestAccVPCEndpoint_interfaceBasic'  -timeout 10m
=== RUN   TestAccVPCEndpoint_interfaceBasic
=== PAUSE TestAccVPCEndpoint_interfaceBasic
=== CONT  TestAccVPCEndpoint_interfaceBasic
    vpc_endpoint_test.go:72: Step 1/2 error: Error running apply: exit status 1
        
        Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ec2): operation error EC2: CreateVpcEndpoint, https response error StatusCode: 400, RequestID: 61c8e7df-0d50-4260-8542-f271bfe52523, api error InvalidParameter: Enabling private DNS requires both enableDnsSupport and enableDnsHostnames VPC attributes set to true for vpc-0ca7434b02619f9c2
        
          with aws_vpc_endpoint.test,
          on terraform_plugin_test.tf line 22, in resource "aws_vpc_endpoint" "test":
          22: resource "aws_vpc_endpoint" "test" {
        
--- FAIL: TestAccVPCEndpoint_interfaceBasic (9.59s)
FAIL
FAIL    github.com/hashicorp/terraform-provider-aws/internal/service/ec2        9.830s
FAIL
make: *** [GNUmakefile:630: testacc] Error 1

$ git checkout v5.50.0 -- internal/service/ec2/vpc_endpoint.go

$ make testacc PKG=ec2 TESTS="TestAccVPCEndpoint_interfaceBasic" ACCTEST_TIMEOUT=10m
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.22.2 test ./internal/service/ec2/... -v -count 1 -parallel 20 -run='TestAccVPCEndpoint_interfaceBasic'  -timeout 10m
=== RUN   TestAccVPCEndpoint_interfaceBasic
=== PAUSE TestAccVPCEndpoint_interfaceBasic
=== CONT  TestAccVPCEndpoint_interfaceBasic
--- PASS: TestAccVPCEndpoint_interfaceBasic (120.15s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/ec2        120.276s

[d2rj2]

Just want to add that once the endpoint has been wrongly created with Private DNS enabled, running tf apply again will update the resource to disable the feature.

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.53.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.