Unauthorized error with retrieving the client configuration; cannot get around the error and stuck with resources

[laffey]

Describe the Bug

You all should remove this from the repository. It doesn't work and needs lots of help. Waste of my time.

I can't even destroy the resources because of an unauthorized error, and I am using privileged aws access, so there is no lack of authorization.

Error: UnauthorizedOperation: You are not authorized to perform this operation....

with module.vpn.data.awsutils_ec2_client_vpn_export_client_config.default[0],
│ on .terraform/modules/vpn/main.tf line 264, in data "awsutils_ec2_client_vpn_export_client_config" "default":
│ 264: data "awsutils_ec2_client_vpn_export_client_config" "default" {

Expected Behavior

Error after all resources created. Now I cannot delete resources.

Steps to Reproduce

terraform apply.
Test your own code...

Screenshots

No response

Environment

No response

Additional Context

No response

[conzy]

@laffey Just for you and future travellers. This module uses two providers. The official aws provider and a awsutils provider that Cloudposse have developed. I'm sure they have a good reason for the custom provider, but I guess it does break the principle of least surprise a little.

Your attitude could be better! You are after all using a free module from their opinionated set of modules for their accelerators.

Because this module also requires the awsutils provider you will also need to configure that provider in your root module if you are providing configuration options to the aws provider.

So you probably have something like:

provider "aws" {
  region = "eu-west-1"
  assume_role {
    role_arn = "arn:aws:iam::1111111111:role/some_role"
  }
}

module "this_module" {
  source  = "cloudposse/ec2-client-vpn/aws"
  # removed for brevity 
}

And you need to update your config to look something like:

provider "aws" {
  region = "eu-west-1"
  assume_role {
    role_arn = "arn:aws:iam::1111111111:role/some_role"
  }
}

provider "awsutils" {
  region = "eu-west-1"
  assume_role {
    role_arn = "arn:aws:iam::1111111111:role/some_role"
  }
}


module "this_module" {
  source  = "cloudposse/ec2-client-vpn/aws"
  # removed for brevity 
}

You probably could have figured that out in the time it took to open this salty issue

[nitrocode]

Thanks @conzy

The reason why the additional provider is needed is because the upstream aws provider cannot export the aws client vpn configuration so the cloudposse/awsutils provider is used instead

For reference, there is also an examples directory of how to use each module which contains the defined providers

terraform-aws-ec2-client-vpn/examples/complete/main.tf

Lines 1 to 7 in a777f96

	provider "aws" {
	region = var.region
	}
	provider "awsutils" {
	region = var.region
	}

And the auto generated required providers section for each module

https://github.com/cloudposse/terraform-aws-ec2-client-vpn?tab=readme-ov-file#providers

We can probably go one step further and add the required providers to the versions.tf so it's more obvious when doing an init/plan step

Edit: nvm, the req provider is already set

terraform-aws-ec2-client-vpn/versions.tf

Lines 1 to 12 in a777f96

	terraform {
	required_version = ">= 1.0"
	required_providers {
	aws = {
	source = "hashicorp/aws"
	version = ">= 4.0"
	}
	awsutils = {
	source = "cloudposse/awsutils"
	version = ">= 0.16.0"
	}