terraform-provider-aws: Notice: `aws_vpc_endpoint_service`: Error: multiple VPC Endpoint Services matched

Problem

For those users who are encountering the following error when using the aws_vpc_endpoint_service data source:

 Error: multiple VPC Endpoint Services matched; use additional constraints to reduce matches to a single VPC Endpoint Service

AWS have just released a new feature in S3 (PrivateLink) which means that multiple results are now being returned when searching for the S3 endpoint service.
Singular data sources in the Terraform AWS Provider (like aws_vpc_endpoint_service) return an error if multiple results are returned.

Configuration changes required to resolve the issue

Add a filter block to select a service type, e.g.

data "aws_vpc_endpoint_service" "s3" {
  service = "s3"

  filter {
    name   = "service-type"
    values = ["Gateway"]
  }
}

For provider versions v3.10.0 and up, it is also possible to use the service_type argument for simplifying the configuration:

data "aws_vpc_endpoint_service" "s3" {
  service      = "s3"
  service_type = "Gateway"
}

Please note that if you are using a Terraform module that relies on this datasource, the module itself will need to be updated. Terraform modules are not maintained by HashiCorp, so you will need to reach out to the modules maintainers to make that configuration update.

References

#15467

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 13
Comments: 21

Commits related to this issue

data-soruce/aws_vpc_endpoint_service: Switch service_type filtering from client-side to API Reference: https://github.com/hashicorp/terraform-provider-aws/issues/17417 Output from acceptance testing... — committed to hashicorp/terraform-provider-aws by bflad 3 years ago
data-source/aws_vpc_endpoint_service: Switch service_type filtering from client-side to API (#17641) * data-soruce/aws_vpc_endpoint_service: Switch service_type filtering from client-side to API R... — committed to hashicorp/terraform-provider-aws by bflad 3 years ago
Added service type for s3 due to https://github.com/hashicorp/terraform-provider-aws/issues/17417 — committed to GovTechSG/terraform-aws-vpc-forked by ryanoolala 3 years ago
Bump the version of the Terraform AWS provider This fixes an issue with some of the gateway endpoints; see the upstream issue https://github.com/hashicorp/terraform-provider-aws/issues/17417 — committed to wellcomecollection/platform-infrastructure by alexwlchan 3 years ago

Most upvoted comments

@fazalmasood This is because you are using provider version 2.70.0. I mentioned the fix for that provider version just above. You essentially need to get rid of the data source, but if you can’t I also listed an alternative method further up in the issue.

Guys, I got another workaround for this issue. I removed the data section and integrated with endpoint resource. resource “aws_vpc_endpoint” “s3” { count = “${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}” vpc_id = “XXXX” service_name = “com.amazonaws.${var.aws_region}.s3” vpc_endpoint_type = “Gateway” tags { Name = “XXXXX” } }

Fantastic 🎉 , confirmed this is supported with provider 2.70.0

Here’s how we implemented
data "aws_region" "current" {}

resource "aws_vpc_endpoint" "s3" {
  count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0

  vpc_id            = local.vpc_id
  service_name      = "com.amazonaws.${data.aws_region.current.name}.s3"
  vpc_endpoint_type = var.s3_vpc_endpoint_type # default = "Gateway"
  tags              = local.vpce_tags
}

circa10a on Feb 5, 2021

Guys, I got another workaround for this issue. I removed the data section and integrated with endpoint resource.

resource “aws_vpc_endpoint” “s3” { count = “${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}” vpc_id = “XXXX” service_name = “com.amazonaws.${var.aws_region}.s3” vpc_endpoint_type = “Gateway” tags { Name = “XXXXX” } }

Fantastic 🎉 , confirmed this is supported with provider 2.70.0

Here’s how we implemented

data "aws_region" "current" {}

resource "aws_vpc_endpoint" "s3" {
  count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0

  vpc_id            = local.vpc_id
  service_name      = "com.amazonaws.${data.aws_region.current.name}.s3"
  vpc_endpoint_type = var.s3_vpc_endpoint_type # default = "Gateway"
  tags              = local.vpce_tags
}

circa10a on Feb 4, 2021

❗ See better solution below

Workaround for now is to tag the service endpoint:

aws ec2 create-tags --resources vpce-svc-***** --tag Key=type,Value=gateway --region us-east-1

Then in terraform

data "aws_vpc_endpoint_service" "s3" {
  count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0

  service = "s3"
  filter {
    name   = "tag:type"
    values = ["gateway"]
  }
}

circa10a on Feb 16, 2021

Update: AWS added a new filter to the DescribeVPCEndpointServices API which will now allow for this:

data "aws_vpc_endpoint_service" "s3" {
  count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0

  service = "s3"
  filter {
    name   = "service-type"
    values = ["Gateway"]
  }
}

This is new API functionality that will work with any client, independent of terraform/provider versions

circa10a on Feb 16, 2021

The configuration fix is to specify the service_type argument, which was added in Terraform AWS Provider version 3.10.0:
data "aws_vpc_endpoint_service" "s3" {
  service      = "s3"
  service_type = "Gateway"
}

Using AWS provider version 3.24.1 and with the solution above still getting the same error.

Update: upgrading terraform vpc module to latest version has helped solve the issue.

endlesslight0 on Feb 3, 2021

FYI that v2.74.0 of the terraform-aws-vpc module was updated the be compatible with v2 and v3 of the terraform AWS provider.

circa10a on Feb 25, 2021

@kjsingh That may have been it. I’ve just removed that data block and ran plan with no errors. Still need to do some other testing but this is looking much better than it did a few hours ago.

BradH19 on Feb 11, 2021