DynamoDB VPC Endpoint Policy in the complete example denies all DynamoDB requests

[inhumantsar]

Description

The DDB VPCE Policy as demonstrated in the example seems to be broken as far as I can tell.

Versions

❯ terraform --version
Terraform v1.0.1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.53.0
+ provider registry.terraform.io/hashicorp/external v2.1.0
+ provider registry.terraform.io/hashicorp/github v3.0.0
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/template v2.2.0

• Module: latest master branch

Reproduction

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  name = local.vpc_name
  cidr = local.vpc_cidr

  azs                 = local.azs
  private_subnets     = local.subnets.private
  public_subnets      = local.subnets.public
  database_subnets    = local.subnets.database
  elasticache_subnets = local.subnets.elasticache
  redshift_subnets    = local.subnets.redshift
  intra_subnets       = local.subnets.intra

  enable_dns_hostnames = true
  enable_dns_support   = true

  enable_classiclink             = false
  enable_classiclink_dns_support = false

  # One NAT Gateway per availability zone
  enable_nat_gateway     = true
  single_nat_gateway     = true
  one_nat_gateway_per_az = false

  # Default security group - ingress/egress rules cleared to deny all
  manage_default_security_group  = true
  default_security_group_ingress = []
  default_security_group_egress  = []
  default_security_group_name    = "${local.vpc_name}-default"

  # VPC Flow Logs (Cloudwatch log group and IAM role will be created)
  enable_flow_log                      = true
  create_flow_log_cloudwatch_log_group = true
  create_flow_log_cloudwatch_iam_role  = true
  flow_log_max_aggregation_interval    = 60

  default_route_table_tags = merge({ Name = "${local.vpc_name}-default" }, var.default_route_table_tags)
}

module "vpc_endpoints" {
  source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"

  vpc_id             = module.vpc.vpc_id
  security_group_ids = [module.vpc.default_security_group_id]

  endpoints = {
    s3 = {
      service = "s3"
      tags    = { Name = "${local.vpc_name}-s3-vpce" }
    },
    dynamodb = {
      service         = "dynamodb"
      service_type    = "Gateway"
      route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
      policy          = data.aws_iam_policy_document.dynamodb_endpoint_policy.json
      tags            = { Name = "${local.vpc_name}-dynamodb-vpce" }
    },
  }
}

# Data source used to avoid race condition
data "aws_vpc_endpoint_service" "dynamodb" {
  service = "dynamodb"

  filter {
    name   = "service-type"
    values = ["Gateway"]
  }
}

data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
  statement {
    effect    = "Deny"
    actions   = ["dynamodb:*"]
    resources = ["*"]

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    condition {
      test     = "StringNotEquals"
      variable = "aws:sourceVpce"

      values = [data.aws_vpc_endpoint_service.dynamodb.id]
    }
  }
}

Expected behavior

No explicit access denied errors.

Actual behavior

I created a new VPC using the example and attempted to work with DynamoDB tables from an ECS task (with a task role containing DynamoDB Full Access permissions) and was given explicit deny errors. Changing the sourceVpce condition to the actual VPCE ID (the initial value as created by this module was a straight integer with no vpce- prefix and the wrong length) resulted in implicit denials and it wasn't until I swapped the VPCE policy to FullAccess did my calls to DynamoDB actually work.

[bryantbiggs]

the error is a copy+pasta mistake because the endpoint policy used by ecr/ecr-dkr is pointing at the dynamodb VPCe

terraform-aws-vpc/examples/complete-vpc/main.tf

Line 234 in 07d31cc

values = [data.aws_vpc_endpoint_service.dynamodb.id]

easily fixed - should always know/validate what you are deploying when copying from the internet 😉

[antonbabenko]

This issue has been resolved in version 3.11.3 🎉

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.