[Enhancement]: Changed id to use the ServicePermissionID - the ID of the actual resource.

[robh007]

Description

Relations

Closes #27599

References

This change provides a usable ID & supports the ability to apply tags to the service principal using ec2_tags resource type.

Output from Acceptance Testing

make testacc TESTS=TestAccVPCEndpointServiceAllowedPrincipal_basic PKG=ec2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/ec2/... -v -count 1 -parallel 20 -run='TestAccVPCEndpointServiceAllowedPrincipal_basic'  -timeout 180m
=== RUN   TestAccVPCEndpointServiceAllowedPrincipal_basic
=== PAUSE TestAccVPCEndpointServiceAllowedPrincipal_basic
=== CONT  TestAccVPCEndpointServiceAllowedPrincipal_basic
--- PASS: TestAccVPCEndpointServiceAllowedPrincipal_basic (325.10s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/ec2        329.724s

...

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[gdavison]

Thanks for the PR, @robh007 🚀

--- PASS: TestAccVPCEndpointServiceAllowedPrincipal_tags (238.74s)
--- PASS: TestAccVPCEndpointServiceAllowedPrincipal_basic (247.72s)
--- PASS: TestAccVPCEndpointServiceAllowedPrincipal_migrateID (275.04s)
--- PASS: TestAccVPCEndpointServiceAllowedPrincipal_migrateAndTag (311.48s)

[github-actions]

This functionality has been released in v4.64.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[asvinours]

I suspect this change might have introduced a bug.
On AWS provider v4.63.X, our code is behaving properly, but on AWS provider 4.64.X it is throwing an error:

data "aws_vpc_endpoint_service" "this" {
  service_name = var.vpc_endpoint_service
}

resource "aws_vpc_endpoint_service_allowed_principal" "this" {
  vpc_endpoint_service_id = data.aws_vpc_endpoint_service.this.service_id
  principal_arn           = "arn:aws:iam::${var.aws_account_id}:root"
}

error:

 │ Error: reading EC2 VPC Endpoint Service (vpce-svc-fake-id) Allowed Principal (arn:aws:iam::123456789012:root): too many results: wanted 1, got 68
 │ 
 │   with aws_vpc_endpoint_service_allowed_principal.this,
 │   on main.tf line 5, in resource "aws_vpc_endpoint_service_allowed_principal" "this":
 │    5: resource "aws_vpc_endpoint_service_allowed_principal" "this" {
 │ 
 ╵

[robh007]

@asvinours Yes, it looks to be on the read, if you check the service the allowed_principal does get updated. Then the read happens, there was some additional code changes to my original pull request which changed the way the read worked. I've checked locally with my branch & I'm able to add additional principals without issue.

terraform-provider-aws/internal/service/ec2/find.go

Lines 3348 to 3353 in 746e737

	func FindVPCEndpointServicePermissionsByServiceID(ctx context.Context, conn *ec2.EC2, id string) ([]*ec2.AllowedPrincipal, error) {
	input := &ec2.DescribeVpcEndpointServicePermissionsInput{
	ServiceId: aws.String(id),
	}
	return FindVPCEndpointServicePermissions(ctx, conn, input)

This code be modified to include a filter for the PrincipalArn.

func FindVPCEndpointServicePermissionsByID(ctx context.Context, conn *ec2.EC2, id, principalARN string) ([]*ec2.AllowedPrincipal, error) {
	input := &ec2.DescribeVpcEndpointServicePermissionsInput{
		ServiceId: aws.String(id),
		Filters: BuildAttributeFilterList(map[string]string{
			"principal": principalARN,
		}),
	}

	return FindVPCEndpointServicePermissions(ctx, conn, input)
}

But there maybe an issue with vpc_endpoint_service

[asvinours]

That VPC service in our AWS account has 68 different allowed principals, maybe the issue arises with existing VPC services that have more than one allowed principal?

[robh007]

@asvinours Yes that's correct, I've opened a bug #30873. I may look to provide a fix over the weekend, with additional tests for more than one principal.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.