[Bug]: aws_vpc_endpoint dns_options.dns_record_ip_type shows diff when default value is used

[gclawes]

Terraform Core Version

v1.4.6

AWS Provider Version

v5.16.2

Affected Resource(s)

• aws_vpc_endpoint

Expected Behavior

When creating an aws_vpc_endpoint resource, setting only private_dns_only_for_inbound_resolver_endpoint in the dns_options should not show diffs on subsequent plans for the defaulted value (ipv4) of dns_record_ip_type.

Actual Behavior

Subsequent plans show a change from the defaulted value of ipv4 -> null.

Relevant Error/Panic Output Snippet

# module.vpc_endpoints.aws_vpc_endpoint.s3 will be updated in-place
  ~ resource "aws_vpc_endpoint" "s3" {
        id                    = "vpce-0613734806445c563"
        tags                  = {
            "application_id"        = (sensitive value)
            "business_unit"         = (sensitive value)
            "environment"           = (sensitive value)
            "function"              = "s3 vpc endpoint"
            "project_code"          = (sensitive value)
            "project_name"          = (sensitive value)
            "request_id"            = (sensitive value)
            "requestor"             = (sensitive value)
            "service_owner_support" = (sensitive value)
            "terraform"             = "true"
        }
        # (18 unchanged attributes hidden)
      ~ dns_options {
          - dns_record_ip_type                             = "ipv4" -> null
            # (1 unchanged attribute hidden)
        }
    }

Terraform Configuration Files

resource "aws_vpc_endpoint" "s3" {
  vpc_id              = data.aws_subnet.private[0].vpc_id
  service_name        = data.aws_vpc_endpoint_service.s3.service_name
  private_dns_enabled = true
  vpc_endpoint_type   = "Interface"
  subnet_ids          = var.private_subnets
  security_group_ids  = [module.vpc_endpoint_sg.security_group_id]

  dns_options {
    private_dns_only_for_inbound_resolver_endpoint = false
  }
}

Steps to Reproduce

1. Create an S3 VPC Interface endpoint with private_dns_enabled = true and dns_options.private_dns_only_for_inbound_resolver_endpoint = false
2. Run a plan after first apply to see diff

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[silvaalbert]

I'll work on this one

[github-actions]

This functionality has been released in v5.20.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.