fix: Dns_options for vpc-endpoints #1032
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
While trying to setup an S3 VPC endpoint I found I could not set `dns_options.private_dns_only_for_inbound_resolver_endpoint` even though this was apparently resolved by #1029 To see what was going on under the hood, I removed the `try` wrapping `private_dns_only_for_inbound_resolver_endpoint` and got this error: ``` Planning failed. Terraform encountered an error while generating this plan. ╷ │ Error: Unsupported attribute │ │ on .terraform/modules/endpoints/modules/vpc-endpoints/main.tf line 42, in resource "aws_vpc_endpoint" "this": │ 42: private_dns_only_for_inbound_resolver_endpoint = dns_options.value.private_dns_only_for_inbound_resolver_endpoint │ ├──────────────── │ │ dns_options.value is false │ │ Can't access attributes on a primitive-typed value (bool). ``` So this whole thing is already off. Idk why `dns_options.value` is a bool, all I know is it has something to do with the `dynamic` block being used here. I noticed the `dynamic` block is not needed. You're only allowed one `dns_options` block for the `aws_vpc_endpoint` resource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint#dns_options So I removed the `dynamic` block and updated the value lookups to `each.value.dns_options[]` which now works. For an S3 service, with `dns_options.private_dns_only_for_inbound_resolver_endpoint` set to `false`, this is the plan it generated: ``` + resource "aws_vpc_endpoint" "this" { + arn = (known after apply) + cidr_blocks = (known after apply) + dns_entry = (known after apply) + id = (known after apply) + ip_address_type = (known after apply) + network_interface_ids = (known after apply) + owner_id = (known after apply) + policy = jsonencode( { + Statement = [ + { + Action = "*" + Condition = { + StringNotEquals = { + "aws:SourceVpc" = "vpc-0518b6428b706516d" } } + Effect = "Deny" + Principal = "*" + Resource = "*" }, ] + Version = "2012-10-17" } ) + prefix_list_id = (known after apply) + private_dns_enabled = true + requester_managed = (known after apply) + route_table_ids = (known after apply) + security_group_ids = [ + "sg-050ed3bb7b46fd681", ] + service_name = "com.amazonaws.us-east-1.s3" + state = (known after apply) + subnet_ids = [ + "subnet-0af61b529ffb7940b", + "subnet-0dd27b92ffe0d02cd", ] + tags = { + "Name" = "s3" } + tags_all = { + "Name" = "s3" } + vpc_endpoint_type = "Interface" + vpc_id = "vpc-0518b6428b706516d" + dns_options { + dns_record_ip_type = (known after apply) + private_dns_only_for_inbound_resolver_endpoint = false } + timeouts { + create = "10m" + delete = "10m" + update = "10m" } } ``` For a resource that did not pass in a `dns_options`, like this: ```hcl ... ecr_api = { service = "ecr.api" private_dns_enabled = true subnet_ids = module.vpc.private_subnets policy = data.aws_iam_policy_document.generic_endpoint_policy.json }, ... ``` I got this plan: ``` + resource "aws_vpc_endpoint" "this" { + arn = (known after apply) + cidr_blocks = (known after apply) + dns_entry = (known after apply) + id = (known after apply) + ip_address_type = (known after apply) + network_interface_ids = (known after apply) + owner_id = (known after apply) + policy = jsonencode( { + Statement = [ + { + Action = "*" + Condition = { + StringNotEquals = { + "aws:SourceVpc" = "vpc-0518b6428b706516d" } } + Effect = "Deny" + Principal = "*" + Resource = "*" }, ] + Version = "2012-10-17" } ) + prefix_list_id = (known after apply) + private_dns_enabled = true + requester_managed = (known after apply) + route_table_ids = (known after apply) + security_group_ids = [ + "sg-050ed3bb7b46fd681", ] + service_name = "com.amazonaws.us-east-1.ecr.api" + state = (known after apply) + subnet_ids = [ + "subnet-0af61b529ffb7940b", + "subnet-0dd27b92ffe0d02cd", ] + tags = { + "Name" = "ecr.api" } + tags_all = { + "Name" = "ecr.api" } + vpc_endpoint_type = "Interface" + vpc_id = "vpc-0518b6428b706516d" + dns_options { + dns_record_ip_type = (known after apply) } + timeouts { + create = "10m" + delete = "10m" + update = "10m" } } ``` I think the removal of the `dynamic` block simplifies things now. It's easier to see what's going on. There should be no change for anyone that isn't setting `dns_options` as shown by my plan output above. Signed-off-by: Taylor Silva <dev@taydev.net>
taylorsilva
changed the title
taylorsilva
changed the title
|
I looked at the |
|
its dynamic because its an optional argument, so removing the dynamic block is not correct. lets start with an issue and a reproduction |
|
@taylorsilva like @bryantbiggs said, its optional that is why i put dynamic in the original PR |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
While trying to setup an S3 VPC endpoint I found I could not set
dns_options.private_dns_only_for_inbound_resolver_endpointeven though this was apparently resolved by #1029To see what was going on under the hood, I removed the
trywrappingprivate_dns_only_for_inbound_resolver_endpointand got this error:So this whole thing is already off. Idk why
dns_options.valueis a bool, all I know is it has something to do with thedynamicblock being used here.I noticed the
dynamicblock is not needed. You're only allowed onedns_optionsblock for theaws_vpc_endpointresource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint#dns_optionsSo I removed the
dynamicblock and updated the value lookups toeach.value.dns_options[]which now works.For an S3 service, with
dns_options.private_dns_only_for_inbound_resolver_endpointset tofalse, this is the plan it generated:For a resource that did not pass in a
dns_options, like this:I got this plan:
I think the removal of the
dynamicblock simplifies things now. It's easier to see what's going on. There should be no change for anyone that isn't settingdns_optionsas shown by my plan output above.Breaking Changes
None. For VPCE's that I had beforehand, nothing changed for them. Existing setup was respected.
How Has This Been Tested?
examples/*to demonstrate and validate my change(s)examples/*projectspre-commit run -aon my pull request