AWS VPC Endpoint for S3 with Terraform - Error: multiple VPC Endpoint Services matched

Question

AWS VPC Endpoint for S3 with Terraform - Error: multiple VPC Endpoint Services matched

I'm using aws_vpc_endpoint_service in Terraform (v0.11.14) to create an AWS VPC Endpoint for S3 on my AWS account and recently started facing the following error: Error: multiple VPC Endpoint Services matched; use additional constraints to reduce matches to a single VPC Endpoint Service

The same code was working fine before. What's the resolution?

2

amazon-web-services amazon-s3 terraform amazon-vpc vpc-endpoint

Источник

user11758843 12 фев '21 в 16:06

2 ответа

Решение

For aws provider < v3.10.0 the problem could be solved using the filter configuration block in aws_vpc_endpoint_service

      data "aws_vpc_endpoint_service" "s3" {
  service = "s3"
  filter {
    name   = "service-type"
    values = ["Gateway"]
  }
}
    
resource "aws_vpc_endpoint" "s3" {
  vpc_id       = "${aws_vpc.vpc.id}"
  service_name = "${data.aws_vpc_endpoint_service.s3.service_name}"
}

See also github issue page https://github.com/hashicorp/terraform-provider-aws/issues/17417

1

Источник

user5460617 02 мар '21 в 16:33

Другие вопросы по тегам amazon-web-services amazon-s3 terraform amazon-vpc vpc-endpoint

user11758843 12 фев '21 в 16:06 2021-02-12 16:06 · Accepted Answer · 2021-02-12 16:06

I have found the resolution.

Causes of the Issue:

AWS have just released a new feature in S3 (PrivateLink) which means that multiple results are now being returned when searching for the S3 endpoint service. Reference: Amazon S3 now supports AWS PrivateLink
Singular data sources in the Terraform AWS Provider (like aws_vpc_endpoint_service) return an error if multiple results are returned.

Solution if AWS Provider Version >= v3.10.0:

Use the following in the Terraform template:

      data "aws_vpc_endpoint_service" "s3" {
  service      = "s3"
  service_type = "Gateway"
}

Solution if AWS Provider Version < v3.10.0:

If you are unable to update to a recent version of the provider, as a temporary workaround you can also use com.amazonaws.REGION.s3 as an endpoint value in downstream configurations rather than using the datasource.

Use the following in the Terraform template:

      data "aws_region" "current" {}

resource "aws_vpc_endpoint" "s3" {
  vpc_id       = "${local.vpc_id}"
  service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
}

That is all.

Previous code for reference that is not working anymore:

      data "aws_vpc_endpoint_service" "s3" {
  service = "s3"
}

resource "aws_vpc_endpoint" "s3" {
  vpc_id       = "${local.vpc_id}"
  service_name = "${data.aws_vpc_endpoint_service.s3.service_name}"
}