Fixes "Error: no association of default Security Group (sg-XXX) with VPC Endpoint (vpce-YYY)" @j4zzcat (#158)
This PR updates the `vpc-endpoints` module to prevent recurring no association of default Security Group (...) with VPC Endpoint (...) errors when managing Interface VPC Endpoints. See also https://github.com/cloudposse-terraform-components/aws-vpc/issues/49.The issue occurred because AWS automatically attaches the default VPC security group to an Interface endpoint when no SGs are specified at creation. The module previously relied on replace_default_association to swap it out for the desired SG. This worked only on the first run - subsequent runs failed because the default SG was no longer attached.
Changes
- Attach first SG at creation time
- Added
security_group_idstoaws_vpc_endpoint.interface_endpointwith the first SG fromvar.interface_vpc_endpoints. - Prevents AWS from attaching the default SG and removes the need for
replace_default_association.
- Added
- Limit SG associations to
index > 0- Updated
security_group_associations_listandsecurity_group_associations_maplocals to only include SGs beyond the first one. - Ensures Terraform doesn’t try to re-attach the already-attached first SG.
- Updated
- Remove
replace_default_association- Association resources now only attach additional SGs.
- Eliminates fragile “replace default” logic that failed on repeated applies.
Benefits
- Idempotent applies — no more failing after the first run.
- Simpler logic — no special-case handling for the default SG.
- Clean AWS state — the default SG is never attached in the first place.
Testing
- Applied changes in a test environment with multiple endpoints and SGs.
- Verified that:
- First SG is attached at endpoint creation.
- Additional SGs are attached via association resources.
- No errors occur on repeated terraform apply runs.