With a policy that specifically allows all π tf $ cat main.tf
provider "aws" {
region = "us-west-2"
}
data "aws_subnets" "all" {}
data "aws_security_groups" "default" {}
data "aws_iam_policy_document" "eks" {
statement {
sid = "EksTestPolicy"
effect = "Allow"
actions = ["*"]
resources = ["*"]
}
}
resource "aws_vpc_endpoint" "t" {
vpc_id = "vpc-77ed2d0e"
service_name = "com.amazonaws.us-west-2.eks"
vpc_endpoint_type = "Interface"
policy = data.aws_iam_policy_document.eks.json
security_group_ids = data.aws_security_groups.default.ids
subnet_ids = data.aws_subnets.all.ids
}
gwojtak@ubuntu 15:53
π tf $ terraform apply -auto-approve
data.aws_subnets.all: Reading...
data.aws_security_groups.default: Reading...
data.aws_iam_policy_document.eks: Reading...
data.aws_iam_policy_document.eks: Read complete after 0s [id=2331874454]
data.aws_subnets.all: Read complete after 0s [id=us-west-2]
data.aws_security_groups.default: Read complete after 0s [id=us-west-2]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_vpc_endpoint.t will be created
+ resource "aws_vpc_endpoint" "t" {
+ arn = (known after apply)
+ cidr_blocks = (known after apply)
+ dns_entry = (known after apply)
+ id = (known after apply)
+ ip_address_type = (known after apply)
+ network_interface_ids = (known after apply)
+ owner_id = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "*"
+ Effect = "Allow"
+ Resource = "*"
+ Sid = "EksTestPolicy"
},
]
+ Version = "2012-10-17"
}
)
+ prefix_list_id = (known after apply)
+ private_dns_enabled = (known after apply)
+ requester_managed = (known after apply)
+ route_table_ids = (known after apply)
+ security_group_ids = [
+ "sg-85a3ecf9",
]
+ service_name = "com.amazonaws.us-west-2.eks"
+ service_region = (known after apply)
+ state = (known after apply)
+ subnet_ids = (known after apply)
+ tags_all = (known after apply)
+ vpc_endpoint_type = "Interface"
+ vpc_id = "vpc-77ed2d0e"
}
Plan: 1 to add, 0 to change, 0 to destroy.
aws_vpc_endpoint.t: Creating...
β·
β Error: creating EC2 VPC Endpoint (com.amazonaws.us-west-2.eks): operation error EC2: CreateVpcEndpoint, https response error StatusCode: 400, RequestID: 3d07ac47-f79a-43ab-bff1-ba3457ab8fae, api error InvalidParameter: Service com.amazonaws.us-west-2.eks only supports the full-access endpoint policy.
β
β with aws_vpc_endpoint.t,
β on main.tf line 18, in resource "aws_vpc_endpoint" "t":
β 18: resource "aws_vpc_endpoint" "t" {
β
β΅
π tf INT $ cat main.tf
provider "aws" {
region = "us-west-2"
}
data "aws_subnets" "all" {}
data "aws_security_groups" "default" {}
data "aws_iam_policy_document" "eks" {
statement {
}
}
resource "aws_vpc_endpoint" "t" {
vpc_id = "vpc-77ed2d0e"
service_name = "com.amazonaws.us-west-2.eks"
vpc_endpoint_type = "Interface"
policy = data.aws_iam_policy_document.eks.json
security_group_ids = data.aws_security_groups.default.ids
subnet_ids = data.aws_subnets.all.ids
}
gwojtak@ubuntu 15:54
π tf $ terraform apply -auto-approve
data.aws_security_groups.default: Reading...
data.aws_subnets.all: Reading...
data.aws_iam_policy_document.eks: Reading...
data.aws_iam_policy_document.eks: Read complete after 0s [id=4084240444]
data.aws_subnets.all: Read complete after 1s [id=us-west-2]
data.aws_security_groups.default: Read complete after 1s [id=us-west-2]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_vpc_endpoint.t will be created
+ resource "aws_vpc_endpoint" "t" {
+ arn = (known after apply)
+ cidr_blocks = (known after apply)
+ dns_entry = (known after apply)
+ id = (known after apply)
+ ip_address_type = (known after apply)
+ network_interface_ids = (known after apply)
+ owner_id = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Effect = "Allow"
},
]
+ Version = "2012-10-17"
}
)
+ prefix_list_id = (known after apply)
+ private_dns_enabled = (known after apply)
+ requester_managed = (known after apply)
+ route_table_ids = (known after apply)
+ security_group_ids = [
+ "sg-85a3ecf9",
]
+ service_name = "com.amazonaws.us-west-2.eks"
+ service_region = (known after apply)
+ state = (known after apply)
+ subnet_ids = (known after apply)
+ tags_all = (known after apply)
+ vpc_endpoint_type = "Interface"
+ vpc_id = "vpc-77ed2d0e"
}
Plan: 1 to add, 0 to change, 0 to destroy.
aws_vpc_endpoint.t: Creating...
β·
β Error: creating EC2 VPC Endpoint (com.amazonaws.us-west-2.eks): operation error EC2: CreateVpcEndpoint, https response error StatusCode: 400, RequestID: a0958db5-1bf1-4431-8fda-121594445727, api error InvalidParameter: Service com.amazonaws.us-west-2.eks only supports the full-access endpoint policy.
β
β with aws_vpc_endpoint.t,
β on main.tf line 14, in resource "aws_vpc_endpoint" "t":
β 14: resource "aws_vpc_endpoint" "t" {
β
β΅
