Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: aws_ec2_instance_connect_endpoint known after apply issue for fips_dns_name #37920

Open
bparak opened this issue Jun 11, 2024 · 3 comments · May be fixed by #37939
Open

[Bug]: aws_ec2_instance_connect_endpoint known after apply issue for fips_dns_name #37920

bparak opened this issue Jun 11, 2024 · 3 comments · May be fixed by #37939
Labels
bug Addresses a defect in current functionality. fips Pertains to the Federal Information Processing Standard (FIPS). service/ec2 Issues and PRs that pertain to the ec2 service.

Comments

@bparak
Copy link

bparak commented Jun 11, 2024

Terraform Core Version

1.8.5, 1.5.7

AWS Provider Version

5.53.0, 5.46.0

Affected Resource(s)

  • aws_ec2_instance_connect_endpoint

Expected Behavior

When the aws_ec2_instance_connect_endpoint resource is successfully created, all resource attributes are correctly populated. Subsequent terraform apply runs do not:

  • continually schedule changes to the resource due to missing attribute values,
  • crash with Error: Provider returned invalid result object after apply.

Actual Behavior

Each terraform apply run after successful EICE creation shows fips_dns_name as (known after apply):

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_ec2_instance_connect_endpoint.this will be updated in-place
  ~ resource "aws_ec2_instance_connect_endpoint" "this" {
      + fips_dns_name         = (known after apply)
        id                    = "eice-XXXXXXXXXXXX"
        # (11 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

and any attempt to apply this fails with:

aws_ec2_instance_connect_endpoint.this: Modifying... [id=eice-XXXXXXXXXXXX]
╷
│ Error: Provider returned invalid result object after apply
│ 
│ After the apply operation, the provider still indicated an unknown value for aws_ec2_instance_connect_endpoint.this.fips_dns_name. All values must be known after apply, so this is
│ always a bug in the provider and should be reported in the provider's own repository. Terraform will still save the other known object values in the state.

Relevant Error/Panic Output Snippet

aws_ec2_instance_connect_endpoint.this: Modifying... [id=eice-XXXXXXXXXXXX]
╷
│ Error: Provider returned invalid result object after apply
│ 
│ After the apply operation, the provider still indicated an unknown value for aws_ec2_instance_connect_endpoint.this.fips_dns_name. All values must be known after apply, so this is
│ always a bug in the provider and should be reported in the provider's own repository. Terraform will still save the other known object values in the state.

Terraform Configuration Files

resource "aws_security_group" "this" {
  name_prefix = "sg-eice-"
  description = "Security group for EICE."
  vpc_id      = "vpc-XXXXXX"

  egress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    description = "Allow outgoing SSH connections"
  }

  egress {
    from_port   = 3389
    to_port     = 3389
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    description = "Allow outgoing RDP connections"
  }
}

resource "aws_ec2_instance_connect_endpoint" "this" {
  subnet_id          = "subnet-XXXXXX"
  preserve_client_ip = false
  security_group_ids = [aws_security_group.this.id]
}

Steps to Reproduce

  1. run terraform apply
  2. run terraform apply again

Debug Output

No response

Panic Output

No response

Important Factoids

Running

aws ec2 describe-instance-connect-endpoints --instance-connect-endpoint-ids eice-XXXXXXXXXXX

on the created EICE does not return any data related to FipsDnsName. There is no such property, even though AWS documentation says it should be there.

DnsName is populated correctly.

References

Would you like to implement a fix?

No
@bparak bparak added the bug Addresses a defect in current functionality. label Jun 11, 2024
@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/ec2 Issues and PRs that pertain to the ec2 service. service/vpc Issues and PRs that pertain to the vpc service. labels Jun 11, 2024
@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Jun 11, 2024
@justinretzolk justinretzolk added fips Pertains to the Federal Information Processing Standard (FIPS). and removed needs-triage Waiting for first response or review from a maintainer. service/vpc Issues and PRs that pertain to the vpc service. labels Jun 11, 2024
@bparak
Copy link
Author

bparak commented Jun 11, 2024

To clarify, I don't need the value of fips_dns_name. I just need the resource to apply correctly.
FipsDnsName seems to be an optional attribute for EICE. I'm waiting for AWS Support to confirm this.

@bparak
Copy link
Author

bparak commented Jun 11, 2024

A quick update. This seems to be caused by regional differences in AWS API responses for EICE. When provisioned in a US region that supports FIPS endpoints, FipsDnsName (and fips_dns_name as a result) are correctly populated. However, when provisioned in a region outside of the US - where FIPS endpoints are not available - FipsDnsName seems to be omitted entirely, the resource cannot be fully applied, and fips_dns_name won't be populated.

If you are running acceptance tests only in a US region that supports FIPS endpoints, it would explain why tests such as

terraform-provider-aws/internal/service/ec2/ec2_instance_connect_endpoint_test.go

Line 42 in c6f8326

resource.TestCheckResourceAttrSet(resourceName, "fips_dns_name"),
wouldn't find any problems here.

Is this a feasible explanation or am I way off on this?

arax added a commit to arax/terraform-provider-aws that referenced this issue Jun 12, 2024
@arax
Fix aws_ec2_instance_connect_endpoint/fips_dns_name for hashicorp#37920
ba19edd
@arax arax linked a pull request Jun 12, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. fips Pertains to the Federal Information Processing Standard (FIPS). service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix aws_ec2_instance_connect_endpoint/fips_dns_name in non-US regions arax/terraform-provider-aws
2 participants
@justinretzolk @bparak