terraform-provider-aws: Unable to assume role with a specified STS endpoint

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.12.29 provider.aws v3.0.0

Affected Resource(s)

• aws (Provider)

Terraform Configuration Files

provider "aws" {
  region = "us-east-1"
  assume_role {
    role_arn = "arn:aws:iam::XXXXXXXXXXXX:role/test"  # Role with source VPC condition
  }
  endpoints {
    sts = "https://sts.eu-west-1.amazonaws.com"
  }
}

resource "aws_iam_user" "test" {
  name = "test"
}

Debug Output

https://gist.github.com/xlz-jgoutin/f2d8e56f8ff179e8dc67dced38f15196

Panic Output

Expected Behavior

Assume role with success

Actual Behavior

Assume role fail due to VPC condition (Like when the endpoint is not specified).

Steps to Reproduce

1. terraform apply

Important Factoids

• The role has a condition that allow only to be assumed from a specific VPC in eu-west-1 region
• The VPC in eu-west-1 region has a STS VPC endpoint.
• No issue when assuming the role using awscli with the “–endpoint-url https://sts.eu-west-1.amazonaws.com” argument.
• No issue when using “AWS_STS_REGIONAL_ENDPOINTS” (But this does not allow to force an endpoint in a different region than the managed one)

References

• #14077: From changelog “provider: Ensure configured STS endpoint is used during AssumeRole API calls”