[Bug]: `aws_ec2_instance_connect_endpoint` known after apply issue for `fips_dns_name`

[bparak]

Terraform Core Version

1.8.5, 1.5.7

AWS Provider Version

5.53.0, 5.46.0

Affected Resource(s)

• aws_ec2_instance_connect_endpoint

Expected Behavior

When the aws_ec2_instance_connect_endpoint resource is successfully created, all resource attributes are correctly populated. Subsequent terraform apply runs do not:

• continually schedule changes to the resource due to missing attribute values,
• crash with Error: Provider returned invalid result object after apply.

Actual Behavior

Each terraform apply run after successful EICE creation shows fips_dns_name as (known after apply):

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_ec2_instance_connect_endpoint.this will be updated in-place
  ~ resource "aws_ec2_instance_connect_endpoint" "this" {
      + fips_dns_name         = (known after apply)
        id                    = "eice-XXXXXXXXXXXX"
        # (11 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

and any attempt to apply this fails with:

aws_ec2_instance_connect_endpoint.this: Modifying... [id=eice-XXXXXXXXXXXX]
╷
│ Error: Provider returned invalid result object after apply
│ 
│ After the apply operation, the provider still indicated an unknown value for aws_ec2_instance_connect_endpoint.this.fips_dns_name. All values must be known after apply, so this is
│ always a bug in the provider and should be reported in the provider's own repository. Terraform will still save the other known object values in the state.

Relevant Error/Panic Output Snippet

aws_ec2_instance_connect_endpoint.this: Modifying... [id=eice-XXXXXXXXXXXX]
╷
│ Error: Provider returned invalid result object after apply
│ 
│ After the apply operation, the provider still indicated an unknown value for aws_ec2_instance_connect_endpoint.this.fips_dns_name. All values must be known after apply, so this is
│ always a bug in the provider and should be reported in the provider's own repository. Terraform will still save the other known object values in the state.

Terraform Configuration Files

resource "aws_security_group" "this" {
  name_prefix = "sg-eice-"
  description = "Security group for EICE."
  vpc_id      = "vpc-XXXXXX"

  egress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    description = "Allow outgoing SSH connections"
  }

  egress {
    from_port   = 3389
    to_port     = 3389
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    description = "Allow outgoing RDP connections"
  }
}

resource "aws_ec2_instance_connect_endpoint" "this" {
  subnet_id          = "subnet-XXXXXX"
  preserve_client_ip = false
  security_group_ids = [aws_security_group.this.id]
}

Steps to Reproduce

1. run terraform apply
2. run terraform apply again

Debug Output

No response

Panic Output

No response

Important Factoids

Running

aws ec2 describe-instance-connect-endpoints --instance-connect-endpoint-ids eice-XXXXXXXXXXX

on the created EICE does not return any data related to FipsDnsName. There is no such property, even though AWS documentation says it should be there.

DnsName is populated correctly.

References

• https://github.com/hashicorp/terraform-provider-aws/issues/32011
• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Ec2InstanceConnectEndpoint.html#API_Ec2InstanceConnectEndpoint_Contents
• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-instance-connect-endpoints.html#output

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[bparak]

To clarify, I don't need the value of fips_dns_name. I just need the resource to apply correctly. FipsDnsName seems to be an optional attribute for EICE. I'm waiting for AWS Support to confirm this.

[bparak]

A quick update. This seems to be caused by regional differences in AWS API responses for EICE. When provisioned in a US region that supports FIPS endpoints, FipsDnsName (and fips_dns_name as a result) are correctly populated. However, when provisioned in a region outside of the US - where FIPS endpoints are not available - FipsDnsName seems to be omitted entirely, the resource cannot be fully applied, and fips_dns_name won't be populated.

If you are running acceptance tests only in a US region that supports FIPS endpoints, it would explain why tests such as https://github.com/hashicorp/terraform-provider-aws/blob/c6f832619208f075ede58aac56a9f30a5418be2d/internal/service/ec2/ec2_instance_connect_endpoint_test.go#L42 wouldn't find any problems here.

Is this a feasible explanation or am I way off on this?

[bparak]

Hi @justinretzolk, I just noticed you marked this issues with the fips label. It is true that the reported problem shows up on the fips_dns_name attribute of the aws_ec2_instance_connect_endpoint resource but this is not related to FIPS itself. It just happens to present that way. The main point is that the aws_ec2_instance_connect_endpoint is currently broken for regions outside of the US (and Canada) and its state won't converge properly.