Set up a cross-region connection between VPC Endpoint Service in two different regions

Avatar
Abhinav Tripathi
  • Updated

Problem

When setting up cross-region connection between VPC Endpoint Service in two different regions using terraform, we may encounter error similar to below:

Error: creating EC2 VPC Endpoint (com.amazonaws.vpce.us-east-2.vpce-svc-xxxxxxxxxxxxx): operation error EC2: CreateVpcEndpoint, https response error StatusCode: 400, RequestID: xxxxxxx, api error InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.vpce.us-east-2.vpce-svc-xxxxxxxxxxxxx' does not exist

However, cross region connection between VPC Endpoint Service in two different regions through the AWS Management Console works fine.

Cause 

Let's assume, we are trying to set up a cross-region connection between a VPC Endpoint Service in the Ohio (us-east-2) region and a VPC Endpoint in the Oregon (us-west-2) region. 

The configuration for aws_vpc_endpoint looks as below:

resource "aws_vpc_endpoint" "test_vpc_endpoint" {  
  provider           = aws.oregon
  vpc_id             = var.vpc_id_oregon
  vpc_endpoint_type  = "Interface" 
  service_name       = data.aws_vpc_endpoint_service.rds_endpoint_service.service_name # Ohio service_name
  security_group_ids = var.glue_security_groups  
  subnet_ids         = var.glue_subnets  
  private_dns_enabled = var.glue_private_dns_enabled
  tags               = local.tags
  depends_on         = [aws_vpc_endpoint_service.rds_endpoint_service]
}

Since, we need to consume the vpc_endpoint from the service_region = us-east-2 which is Ohio, if we do not provide that service_region in the configuration, terraform will throw that error thinking the VPC Endpoint Service does not exist.

Solution

Add this optional attribute in the resource. So the resource configuration should look like:

resource "aws_vpc_endpoint" "test_vpc_endpoint" {   
  provider           = aws.oregon 
  vpc_id             = var.vpc_id_oregon 
  vpc_endpoint_type  = "Interface" 
  service_name       = data.aws_vpc_endpoint_service.rds_endpoint_service.service_name # Ohio service_name 
  security_group_ids = var.glue_security_groups 
  subnet_ids         = var.glue_subnets 
  private_dns_enabled = var.glue_private_dns_enabled 
  service_region     = "us-east-2"
  tags               = local.tags 
  depends_on         = [aws_vpc_endpoint_service.rds_endpoint_service] 
}

Outcome

Once the service_region attribute is added to the resource, the provisioning should be successful without any issues.

Note: If you continue to experience issues, please contact HashiCorp Support.

Articles in this section

See more