Home > Software engineering >  Terraform DataSource failing to resolve ID for endpoint
Terraform DataSource failing to resolve ID for endpoint

Time:11-18

Following https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-ddb.html i want to ensure all dynamodb access is through the gateway endpoint.

I want to use a datasource to filter down the gateway details

data "aws_vpc_endpoint_service" "dynamodb" {
  service = "dynamodb"
  filter {
    name   = "service-type"
    values = ["Gateway"]
  }
}


data "aws_iam_policy_document" "policy" {
  statement {
    sid    = "policy"
    effect = "Allow"
    actions = [
      "dynamodb:GetItem",
      "dynamodb:PutItem",
      "dynamodb:Scan",
      "dynamodb:UpdateItem",
    ]
    resources = ["*"]
    condition {
      test     = "StringEquals"
      variable = "aws:sourceVpce"

      values = [data.aws_vpc_endpoint_service.dynamodb.id] 
    }
  }
}

resource "aws_iam_policy" "db" {
  name   = "policy"
  policy = data.aws_iam_policy_document.policy.json
  path   = "/"
}

This though isnt working The plan is showing 9 numbers rather than the Endpoint ID

 # aws_iam_policy.db will be created
    resource "aws_iam_policy" "db" {
        arn       = (known after apply)
        id        = (known after apply)
        name      = "policy"
        path      = "/"
        policy    = jsonencode(
            {
                Statement = [
                    {
                        Action    = [
                            "dynamodb:UpdateItem",
                            "dynamodb:Scan",
                            "dynamodb:PutItem",
                            "dynamodb:GetItem",
                        ]
                        Condition = {
                            StringEquals = {
                                aws:sourceVpce = "808703518"
                            }
                        }
                        Effect    = "Allow"
                        Resource  = "*"
                        Sid       = "policy"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id = (known after apply)
        tags_all  = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Can anyone suggest where i have gone wrong?
Changing the attribute to "arn" from "id" correctly populates the arn. I am just unable to return the correct dynamodb endpoint ID

CodePudding user response:

You need to use the service_id property:

values = [data.aws_vpc_endpoint_service.dynamodb.service_id]

id is a "special" attribute that is used by Terraform to uniquely identify the resource. Generally speaking, you never really want to use it.

  • Related