1

Provider: AWS

Region: us-east-1

Terraform: v1.0.4

When attempting to create a route table:

resource "aws_vpc_endpoint_route_table_association" "dynamodb_route_table" {
  count           = "${length(module.vpc.private_route_table_ids)}"
  vpc_endpoint_id = aws_vpc_endpoint.dynamodb_connection.id
  route_table_id  = "${element(module.vpc.private_route_table_ids, count.index)}"

  depends_on = [aws_vpc_endpoint.dynamodb_connection]
}

with the following route:

resource "aws_route" "subnet_to_vpce" {
  count                     = "${length(module.vpc.private_route_table_ids)}"
  route_table_id            = "${element(module.vpc.private_route_table_ids, count.index)}"
  vpc_endpoint_id           = aws_vpc_endpoint.dynamodb_connection.id
  destination_cidr_block    = "${element(module.vpc.private_subnets_cidr_blocks, count.index)}"

  depends_on = [aws_vpc_endpoint.dynamodb_connection]
}

which reference the vpc endpoint created in the following way:

resource "aws_vpc_endpoint" "dynamodb_connection" {
    vpc_id = module.vpc.vpc_id
    service_name = "com.amazonaws.${var.aws_region}.dynamodb"
    policy = <<POLICY
    {
    "Statement": [
        {
        "Action": "*",
        "Effect": "Allow",
        "Resource": "*",
        "Principal": "*"
        }
    ]
    }
    POLICY
  }

I get the following error:

Error: error creating Route in Route Table (rtb-xxxxxxxxxxxxxxxxx) with destination (10.xx.x.x/24): InvalidVpcEndpointId.NotFound: The vpcEndpoint ID 'vpce-xxxxxxxxxxxxxxxxx' does not exist.

However, the vpc endpoint itself was created successfully. I see it in the tfstate file and when I log into the AWS Console and check, I can see the vpc endpoint with the exact id found in the error.

I retried after waiting an hour, but still nothing.

Not sure if I'm doing something wrong or if this is a bug.

Kevin Glick
  • 157
  • 2
  • 12
  • There is nothing seemingly wrong with the code. The only reason I can think of is that there maybe some race condition. So maybe `aws_vpc_endpoint_route_table_association` is being applied when `dynamodb_connection` is still being created. Can you check, how long it takes to create the endpoint using AWS console, if and see if TF marks success before it is actually in available state? – Marcin Oct 20 '21 at 22:34
  • Can you also include the Terraform code for the 10.x.x.x route that is being added to the table as that appears to be what is triggering the error. – clockworknet Oct 21 '21 at 06:40
  • @clockworknet edited the post to add the route – Kevin Glick Oct 21 '21 at 13:12
  • @Marcin I added a depends-on clause `depends_on = [aws_vpc_endpoint.dynamodb_connection]` and retried, but I got the same error. Also verified in the console that the VPC Endpoint has a status of 'Available'. – Kevin Glick Oct 21 '21 at 13:16
  • Maybe resources created in different regions? Are `provider "aws"` block's `region` and `var.aws_region` same? – rzlvmp Oct 21 '21 at 13:34
  • What happens if you remove the 'aws_route' resource entirely. Is the resource association resource created OK and does it add entries into the private RT's for you? – clockworknet Oct 21 '21 at 14:18
  • If nothing helps make sure you are using latest TF version and AWS provider (please upgrade both). Maybe it was bug, and since you are using old versions, it haven't been yet addressed. – Marcin Oct 22 '21 at 00:05
  • I had a similar issue (would be nice to see your aws_route_table resource code). In my case, I was creating a private subnet. I made it work by defining an aws_route_table with no routes, and connected the vpc_endpoint (S3 service) using an aws_vpc_endpoint_route_table_association. – PEC Mar 09 '22 at 13:26

1 Answers1

0

I encountered the same error and solved it as follows:

resource "aws_route" "subnet_to_vpce" {
  count                     = "${length(module.vpc.private_route_table_ids)}"
  route_table_id            = "${element(module.vpc.private_route_table_ids, count.index)}"
  gateway_id                = local // remove vpc_endpoint_id and add gateway_id. The Managed Prefix List's id of DynamoDB is automatically added to the route, and you don't have to set the vpc_endpoint_id up on the route yourself.
  destination_cidr_block    = "${element(module.vpc.private_subnets_cidr_blocks, count.index)}"

  depends_on = [aws_vpc_endpoint.dynamodb_connection]
}

resource "aws_vpc_endpoint" "dynamodb_connection" {
    vpc_id = module.vpc.vpc_id
    service_name = "com.amazonaws.${var.aws_region}.dynamodb"
    route_table_ids   = [aws_route_table.subnet_to_vpce.id] // Add route_table_ids in the aws_vpc_endpoint resource.
    policy = <<POLICY
    {
    "Statement": [
        {
        "Action": "*",
        "Effect": "Allow",
        "Resource": "*",
        "Principal": "*"
        }
    ]
    }
    POLICY
  }
mom0tomo
  • 339
  • 2
  • 6