How do I retrieve multiple vpc endpoints?

Question

ERROR: no matching VPC Endpoint found (error referring to data code block)

I am trying to retrieve multiple endpoints from data "aws_vpc_endpoint" resource. I created locals to retrieve service name for multiple endpoints that share the first few characters. Afterwards, the endpoints have unique characters to identify them individually.

I am wanting the data resource to loop through the data and retrieve each endpoint that shares those few characters. Then grab each endpoint id for "aws_route". FYI: The endpoints are being created from resource "aws_networkfirewall_firewall" The main thing to look at in this code snippet is locals, data, and the last line for resource "aws_route" How can I express in locals that the service_name does not end there and the rest of the string is unique to the endpoint without hard coding each service_name?

locals {
  endpoints = {
    service_name = "com.amazonaws.vpce.us-east-1.vpce-svc-"
  }
}

data "aws_vpc_endpoint" "firewall-endpoints" {
  for_each = local.endpoints
  vpc_id   = aws_vpc.vpc.id

  service_name = each.value

  #filter {
  #  name = "tag:AWSNetworkFirewallManaged"
  #  values = [true]
  #}
}

resource "aws_route" "tgw_route" {
  count                  = var.number_azs
  route_table_id         = aws_route_table.tgw_rt[count.index].id
  destination_cidr_block = var.tgw_aws_route[0]
  vpc_endpoint_id        = data.aws_vpc_endpoint.firewall-endpoints["service_name"].id
}

The vpc_endpoint data resource is only ever going to return a singular endpoint. You should be doing the for_each in your route impl. — Rome_Leader, May 31 '22 at 15:25
@Rome_Leader I think you weren't done explaining. Some text is missing. — mp7, May 31 '22 at 15:37
Can you just use the `endpoint_id`s returned by [`aws_networkfirewall_firewall`](https://registry.terraform.io/providers/aaronfeng/aws/latest/docs/resources/networkfirewall_firewall#sync_states) in the `sync_states` list? Then you won't need to create the endpoint data sources at all. — Nick K9, May 31 '22 at 15:41

score 1 · Accepted Answer · answered May 31 '22 at 15:57

I can't test this, but I think what you want to do is something like this:

resource "aws_route" "tgw_route" {
  for_each = aws_networkfirewall_firewall.firewall_status.sync_states

  route_table_id         = aws_route_table.tgw_rt[???].id
  destination_cidr_block = var.tgw_aws_route[0]
  vpc_endpoint_id        = each.value.attachment.endpoint_id
}

I'm not clear on the structure of the firewall_status output, so that may need to change slightly. The main question is how to get the appropriate route table ID per subnet. Can you access the outputs of the tgw_rt module in some way other than by index? Unfortunately, I have no experience with setting up an AWS firewall, just with Terraform, so I don't know how to solve this part of the puzzle.

Hi @Nick K9 this issue has been resolved. I'd rather have the resource block in the VPC state file, therefore the only thing I would have to worry about is retrieving the endpoints. I used your suggestions from the other post, but I gave up using ONE data vpc_endpoint resource but rather two to find one at a time. Not exactly what I a want to do but it works. — mp7, Jun 02 '22 at 12:20

How do I retrieve multiple vpc endpoints?

1 Answers1