aws_ec2_client_vpn_endpoint connection_log_options always needs to be updated

[bploetz]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.12.31
+ provider.aws v3.64.2

Affected Resource(s)

• aws_ec2_client_vpn_endpoint

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

resource "aws_ec2_client_vpn_endpoint" "my_app" {
  client_cidr_block = var.client_cidr_block
  split_tunnel = true
  server_certificate_arn = var.tls_certificate_arn

  authentication_options {
    type = "federated-authentication"
    saml_provider_arn = aws_iam_saml_provider.my_app.arn
  }

  connection_log_options {   # <------- HERE
    enabled = true
    cloudwatch_log_group = aws_cloudwatch_log_group.client_vpn_server.name
  }

  dns_servers = [
    aws_route53_resolver_endpoint.client_vpn_dns.ip_address.*.ip[0], 
    aws_route53_resolver_endpoint.client_vpn_dns.ip_address.*.ip[1]
  ]

  tags = {
    Name = "my-app-${var.env_name}"
  }
}

Debug Output

Panic Output

Expected Behavior

The documentation for the aws_ec2_client_vpn_endpoint resource connection_log_options argument
(https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_endpoint#connection_log_options-argument-reference) says ONE of cloudwatch_log_group or cloudwatch_log_stream must be specified. However when I only set cloudwatch_log_group, every time I run plan it says it needs to update the aws_ec2_client_vpn_endpoint connection_log_options.cloudwatch_log_stream from a value to null.

Actual Behavior

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.client_vpn.aws_ec2_client_vpn_endpoint.my_app will be updated in-place
  ~ resource "aws_ec2_client_vpn_endpoint" "my_app" {
        arn                    = "arn:aws:ec2:XX-XXXXX-1:XXXXXXXXXXXX:client-vpn-endpoint/cvpn-endpoint-XXXXXXXXXXXXXXXXX"
        client_cidr_block      = "XX.XX.XX.XX/XX"
        dns_name               = "*.cvpn-endpoint-XXXXXXXXXXXXXXXXX.prod.clientvpn.XX-XXXX-1.amazonaws.com"
        dns_servers            = [
            "XX.XX.XX.XX",
            "XX.XX.XX.XX",
        ]
        id                     = "cvpn-endpoint-XXXXXXXXXXXXXXXXX"
        self_service_portal    = "disabled"
        server_certificate_arn = "arn:aws:acm:XX-XXXX-1:XXXXXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
        split_tunnel           = true
        status                 = "available"
        tags                   = {
            "Name" = "XXXXXXX"
        }
        tags_all               = {
            "Name" = "XXXXXXXX"
        }
        transport_protocol     = "udp"

        authentication_options {
            saml_provider_arn = "arn:aws:iam::XXXXXXXXXXXX:saml-provider/XXXXXXXXXXXXXXXXX"
            type              = "federated-authentication"
        }

      ~ connection_log_options {
            cloudwatch_log_group  = "XXXXXXXXXXXXX"
          - cloudwatch_log_stream = "cvpn-endpoint-XXXXXXXXXXXX-XX-XXXX-1-2021/12/15-3Ca43TLZuqzA" -> null
            enabled               = true
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

1. terraform plan

Important Factoids

References

• #0000

[github-actions]

This functionality has been released in v4.0.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.