Conflicting DNS domain for codeartifact

[rubytobi]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.5

• provider registry.terraform.io/hashicorp/aws v3.21.0
• provider registry.terraform.io/hashicorp/external v2.0.0
• provider registry.terraform.io/hashicorp/random v3.0.0
• provider registry.terraform.io/hashicorp/template v2.2.0
• provider registry.terraform.io/hashicorp/tls v3.0.0

Affected Resource(s)

• aws_vpc_endpoint

Terraform Configuration Files

resource aws_vpc_endpoint interface-codeartifact-repositories {
  service_name      = "com.amazonaws.ap-southeast-2.codeartifact.repositories"
  vpc_endpoint_type = "Interface"
  vpc_id            = aws_vpc.vpc.id

  private_dns_enabled = true

  subnet_ids = [
    aws_subnet.private-aza.id,
    aws_subnet.private-azb.id,
    aws_subnet.private-azc.id
  ]

  security_group_ids = [
    aws_security_group.interface-sg.id
  ]
}

resource aws_vpc_endpoint interface-codeartifact-api {
  service_name      = "com.amazonaws.ap-southeast-2.codeartifact.api"
  vpc_endpoint_type = "Interface"
  vpc_id            = aws_vpc.vpc.id

  private_dns_enabled = true

  depends_on = [
    aws_vpc_endpoint.interface-codeartifact-repositories
  ]

  subnet_ids = [
    aws_subnet.private-aza.id,
    aws_subnet.private-azb.id,
    aws_subnet.private-azc.id
  ]

  security_group_ids = [
    aws_security_group.interface-sg.id
  ]
}

Debug Output

Expected Behavior

Both VPC endpoints should have been created without problems.

Actual Behavior

Error: Error creating VPC Endpoint: InvalidParameter: private-dns-enabled cannot be set because there is already a conflicting DNS domain for codeartifact.ap-southeast-2.amazonaws.com in the VPC vpc-xxx
        status code: 400, request id: 5c131b4b-***

The issue is, that both VPC endpoints have overlapping DNS entries. The EC2/VPC service checks at time of creation (private_dns_enabled = true) for such overlap, and errors out with above 400 message. If the second VPC endpoint is created with private_dns_enabled = false, and then changed to private_dns_enabled = true, AWS does not validate the DNS entries and successfully creates both VPC endpoints.

AWS acknowledges the problem on their VPC endpoints for CodeArtifact page (see quote & link below). After speaking with support, we came up with the multi-step work around.

Is this something the terraform provider could implement and automatically execute?

Steps to Reproduce

1. terraform apply

References

• vpc_endpoint creation should enable Private DNS only after endpoint creation #7148
• Create VPC endpoints for CodeArtifact

When you create a codeartifact.repositories endpoint, you must create a private DNS hostname using the --private-dns-enabled option. However, because multiple private DNS hostnames are not currently supported for the codeartifact.api and codeartifact.repositories endpoints, use the --no-private-dns-enabled option for codeartifact.api.

[DrFaust92]

This seems like a server side issue for VPC/EC2/CodeArtifact. any changes to overcome this might become a maintenance burden and can have unforeseen results for endpoints for other services. I dont think any action should be taken from terraform aws provider side.

[DrFaust92]

Closing for lack for response

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.