[Bug]: aws_vpc_endpoint_service_allowed_principal

[robh007]

Terraform Core Version

1.3.4

AWS Provider Version

4.64.0

Affected Resource(s)

• aws_vpc_endpoint_service_allowed_principal

Expected Behavior

You should be able to add multiple allowed principals to an existing aws_vpc_endpoint_service

resource "aws_vpc_endpoint_service_allowed_principal" "this" {
  vpc_endpoint_service_id = data.aws_vpc_endpoint_service.this.service_id
  principal_arn           = "arn:aws:iam::123456789012:root"
}

Actual Behavior

Change #27640 as introduced a bug.

If you already have an allowed principal attached to a service you can't add another one.

Relevant Error/Panic Output Snippet

Error: reading EC2 VPC Endpoint Service (vpce-svc-fake-id) Allowed Principal (arn:aws:iam::123456789012:root): too many results: wanted 1, got 68
 │ 
 │   with aws_vpc_endpoint_service_allowed_principal.this,
 │   on main.tf line 5, in resource "aws_vpc_endpoint_service_allowed_principal" "this":
 │    5: resource "aws_vpc_endpoint_service_allowed_principal" "this" {
 │ 
 ╵

Terraform Configuration Files

resource "aws_vpc_endpoint_service_allowed_principal" "this" {
  vpc_endpoint_service_id = aws_vpc_endpoint_service.name.service_id
  principal_arn           = "arn:aws:iam::210987654321:root"
}

resource "aws_vpc_endpoint_service" "name" {
  acceptance_required = true

  network_load_balancer_arns = ["nlb-arn"]

  tags = { Name = "test-001" }

  allowed_principals = ["arn:aws:iam::123456789012:root"]
}

Steps to Reproduce

Create a VPC Endpoint Service with an allowed principal configured.

Try to add an additional principal using

aws_vpc_endpoint_service_allowed_principal

Debug Output

No response

Panic Output

No response

Important Factoids

The call to FindVPCEndpointServicePermissions, doesn't look to filter the results and returns all attached Principals.

terraform-provider-aws/internal/service/ec2/find.go

Lines 3348 to 3353 in 746e737

	func FindVPCEndpointServicePermissionsByServiceID(ctx context.Context, conn *ec2.EC2, id string) ([]*ec2.AllowedPrincipal, error) {
	input := &ec2.DescribeVpcEndpointServicePermissionsInput{
	ServiceId: aws.String(id),
	}
	return FindVPCEndpointServicePermissions(ctx, conn, input)

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[arthosdevelops]

Thanks for raising this, we are also facing this issue right now and is it is blocking our pipelines. Are there some workarounds for this? (Prefereably we would like to wait for the bug fix if it would be released soon )

[thepoppingone]

@arthosdevelops i think the best way for you now is to roll back to 1 version prior and lock it at that version for the moment

[sfrycertinia]

This is causing our deployment pipeline to fail. We would love to be able to keep tracking the latest provider version, rather than nailing it in to be forgotten. A fix would be much appreciated.

[github-actions]

This functionality has been released in v4.65.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.