aws_vpc_endpoint policy for svc endpoint soft lock

Terraform and AWS Provider Version

Terraform v1.3.9
on linux_amd64

Affected Resource(s) or Data Source(s)

aws_vpc_endpoint

Expected Behavior

Hello, I tried to create a policy for a svc endpoint with Terraform. After some searches, it seems to be impossible to perform that. The problem is that Terraform succeed to carry out a plan, so I tried to apply and I got an error:

Error: updating EC2 VPC Endpoint (vpce-xxxx): InvalidPolicyDocument: The Policy Document is not valid. Syntax error at position (1,75)
status code: 400, request id: xxx

with aws_vpc_endpoint.my_vpc_endpoint,
on endpoints.tf line 381, in resource "aws_vpc_endpoint" "my_vpc_endpoint":
381: resource "aws_vpc_endpoint" "my_vpc_endpoint" {

I wanted to rollback this policy

Actual Behavior

The problem is that when I wanted to rollback, I tested a plan but I got this error:

Error: parsing policy 1: parsing statement 1: 3 error(s) decoding:

* '[0].Condition[test]' expected a map, got 'string'
* '[0].Condition[values]' expected a map, got 'slice'
* '[0].Condition[variable]' expected a map, got 'string'

with aws_vpc_endpoint.my_vpc_endpoint,
on endpoints.tf line 381, in resource "aws_vpc_endpoint" "my_vpc_endpoint":
381: resource "aws_vpc_endpoint" "my_vpc_endpoint" {

But there is not more policy on my code... I'm not able to rollback the policy I tried to add previously

Relevant Error/Panic Output

Sample Terraform Configuration

Configuration with Policy

```hcl resource "aws_vpc_endpoint" "my_vpc_endpoint" { service_name = "com.amazonaws.vpce.eu-west-3.vpce-svc-xxxx" vpc_endpoint_type = "Interface" vpc_id = module.my_vpc.vpc_id private_dns_enabled = false subnet_ids = "${module.my_vpc.my_subnets}" policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "DenyIfNotOnVPC", "Effect" : "Deny", "Principal" : { "Type" : "*", "Indentifiers" : ["*"] }, "Resource" : "*", "Condition" : { "StringNotLike" : { "aws:sourceVpc" : "${module.my_vpc.vpc_id}" } } } ]}) security_group_ids = ["${module.my_sg.security_group_id}"] } ```

Configuration without Policy (after rollback)

Steps to Reproduce

I have this issue on my development environment, I never tried to create another vpce svc with a policy anywhere else

Debug Logging

n/a

GenAI / LLM Assisted Development

n/a

Important Facts and References

I also tried to remove my vpce from Terraform but I got the same error without file informations:

Error: parsing policy 1: parsing statement 1: 3 error(s) decoding:

* '[0].Condition[test]' expected a map, got 'string'
* '[0].Condition[values]' expected a map, got 'slice'
* '[0].Condition[variable]' expected a map, got 'string'

Would you like to implement a fix?

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! :rocket:

Voting for Prioritization

Please vote on this Issue by adding a :+1: reaction to the original post to help the community and maintainers prioritize it.
Please see our prioritization guide for additional information on how the maintainers handle prioritization.
Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

hashicorp / terraform-provider-aws