aws_vpn_connection tagging

[david-wells-1]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

• 0.12.20

Affected Resource(s)

• aws_vpn_connection

Terraform Configuration Files

resource "aws_vpn_connection" "vpn_connections" {
  for_each              = var.vpn_config
  customer_gateway_id   = aws_customer_gateway.customer_gateways[each.key].id
  transit_gateway_id    = aws_ec2_transit_gateway.tgw.id
  type                  = aws_customer_gateway.customer_gateways[each.key].type
  tunnel1_preshared_key = aws_ssm_parameter.vpn_preshared_keys[each.key].value
  tunnel2_preshared_key = aws_ssm_parameter.vpn_preshared_keys[each.key].value

  tags = merge(var.default_tags, local.vpn_service_tag, {
    "Name" : "${each.value["name"]}-vpn"
  })
}

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

I have come across an unusual issue when using terraform v0.12.20 and tags in aws_vpn_connection - this is not an error, more an emission.

resource aws_vpn_connection is configured for a transit_gateway_id connection. The VPN connection is successfully created and tagged.

The resource aws_vpn_connection is also managing the attachment of the VPN connection to the Transit Gateway "under the hood". This also completes without error.

The issue I have is that the vpn connection Transit Gateway Attachment cannot be tagged.

It seam that resource aws_vpn_connection creates 2 resources but only tags 1.

The created site-to-site VPN Connection is tagged
The VPN connection to Transit Gateway attachment cannot be tagged

1. terraform apply

Important Factoids

References

• #0000

[ewbankkit]

@david-wells-1 Thanks for raising this. It seems like another use case for #9061, the ability to tag a (EC2 in this case) resource that is implicitly created by another resource.

[bflad]

A new aws_ec2_tag resource for managing individual EC2 resource tags has been merged and will release with version 2.67.0 of the Terraform AWS Provider, later next week. This resource should only be used in cases where EC2 resources are created outside Terraform (e.g. AMIs), being shared via Resource Access Manager (RAM), or implicitly created by other means (e.g. Transit Gateway VPN Attachments).

# Example configuration in Terraform 0.12 and later syntax
resource "aws_ec2_transit_gateway" "example" {}

resource "aws_customer_gateway" "example" {
  bgp_asn    = 65000
  ip_address = "172.0.0.1"
  type       = "ipsec.1"
}

resource "aws_vpn_connection" "example" {
  customer_gateway_id = aws_customer_gateway.example.id
  transit_gateway_id  = aws_ec2_transit_gateway.example.id
  type                = aws_customer_gateway.example.type
}

resource "aws_ec2_tag" "example" {
  resource_id = aws_vpn_connection.example.transit_gateway_attachment_id
  key         = "Name"
  value       = "Hello World"
}

As with any Terraform 0.12.6 or later configuration, this resource can be combined with for_each support to manage multiple resource tags, if necessary.

Thanks to @joestump and others who made the implementation possible. 👍

[ghost]

This has been released in version 2.67.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!