[Bug]: Perpetual diff in aws_ec2_client_vpn_endpoint

[sidekick-eimantas]

Terraform Core Version

1.2.7

AWS Provider Version

4.27.0

Affected Resource(s)

aws_ec2_client_vpn_endpoint

Expected Behavior

No perpetual diff

Actual Behavior

banner_text is in perpetual diff

module.vpn_ireland.aws_ec2_client_vpn_endpoint.this will be updated in-place
  ~ resource "aws_ec2_client_vpn_endpoint" "this" {
        id                     = "cvpn-endpoint-nnnnnnnnnnnnnn"
        tags                   = {
            "Name" = "ireland-office"
        }
        # (15 unchanged attributes hidden)

      ~ client_login_banner_options {
          ~ banner_text = <<-EOT
                Warning: This system is restricted to Sidekick Money Ltd
                authorized users for business purposes only. Unauthorized access
                or use is a violation of company policy and the law. This system
                may be monitored for administrative and security reasons. By
                proceeding, you acknowledge that (1) you have read and understand
                this notice and (2) you consent to the system monitoring.
            EOT
            # (1 unchanged attribute hidden)
        }

        # (3 unchanged blocks hidden)
    }

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_ec2_client_vpn_endpoint" "this" {
  client_cidr_block = var.client_cidr_block
  client_login_banner_options {
    enabled     = true
    banner_text = file("${path.module}/banner.txt")
  }
  description            = var.description
  dns_servers            = var.dns_servers
  security_group_ids     = var.security_group_ids
  self_service_portal    = "enabled"
  server_certificate_arn = aws_acm_certificate.this.arn
  session_timeout_hours  = var.session_timeout_hours
  split_tunnel           = var.split_tunnel
  transport_protocol     = "udp"
  vpc_id                 = var.vpc_id
  vpn_port               = 1194 # openvpn default udp port

  tags = { Name = var.name }
}

Steps to Reproduce

• terraform apply
• terraform plan

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No response

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ivopinto1]

We could not reproduce this issue.

Created a ec2 client vpn endpoint

provider "aws" {
  version = "4.27"
}

resource "tls_private_key" "example" {
  algorithm = "RSA"
}

resource "tls_self_signed_cert" "example" {
  private_key_pem = tls_private_key.example.private_key_pem

  subject {
    common_name  = "example.com"
    organization = "ACME Examples, Inc"
  }

  validity_period_hours = 12

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}

resource "aws_acm_certificate" "cert" {
  private_key      = tls_private_key.example.private_key_pem
  certificate_body = tls_self_signed_cert.example.cert_pem
}

resource "aws_ec2_client_vpn_endpoint" "example" {
  description            = "terraform-clientvpn-example"
  server_certificate_arn = aws_acm_certificate.cert.arn
  client_cidr_block      = "10.20.0.0/16"

  authentication_options {
    type                       = "certificate-authentication"
    root_certificate_chain_arn = aws_acm_certificate.cert.arn
  }

  connection_log_options {
    enabled               = false
  }

  client_login_banner_options {
    enabled     = true
    banner_text = file("${path.module}/banner.txt")
  }
}

With the following banner (banner.txt):

Warning: This system is restricted to Sidekick Money Ltd
            authorized users for business purposes only. Unauthorized access
or use is a violation of company policy and the law. This system
may be monitored for administrative and security reasons. By
        çnn˜dproceeding, you acknowledge that (1) you have read and understand
this notice and (2) you consent to the system monitoring.

first apply succeeds:

➜  Downloads terraform apply
(ommitted)

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

Following applies show no diff:

➜  Downloads terraform apply
(ommitted)
No changes. Your infrastructure matches the configuration.

Maybe your banner file has some 'weird' characters inside it, can you please re-try while putting the banner content directly on the terraform file or with a simpler banner to see if it exhibits the same behaviour.

[eniac111]

I'm having the same issue:

      ~ client_login_banner_options {
          + banner_text = "Corporate VPN"
            # (1 unchanged attribute hidden)
        }