Description

When supplying security_group_name_prefix as an input to the vpc endpoint module, with a trailing hyphen to separate the user defined prefix from the random suffix, the Name tag ends with the trailing hyphen.

To attempt to overcome this, I have tried to pass in a Name tag via security_group_tags. This does not work due to the precedence of the merge function on the aws_security_group resource preferring the hardcoded Name tag as it is the later argument in the sequence.

If this is compared to the ec2-instance module - the merge function for security group tags allows a user to pass in a custom name because var.security_group_tags is last in the sequence.

I raised #1233 to provide a fix for this but it has been closed.#1231 has also been closed for the same issue.

For clarity: the requirement is to be able to specify a custom Name tag for the VPC endpoint security group, not the endpoint itself.

Versions

• Module version [Required]: v6.0.1

• Terraform version: v1.5.7

• Provider version(s): provider registry.terraform.io/hashicorp/aws v6.8.0

Reproduction Code [Required]

provider "aws" {
  region = local.region
}

data "aws_availability_zones" "available" {}

locals {
  name   = "ex-${basename(path.cwd)}"
  region = "eu-west-1"

  vpc_cidr = "10.0.0.0/16"
  azs      = slice(data.aws_availability_zones.available.names, 0, 3)

  tags = {
    Example    = local.name
    GithubRepo = "terraform-aws-vpc"
    GithubOrg  = "terraform-aws-modules"
  }
}

module "vpc" {
  source = "../../"

  name = local.name
  cidr = local.vpc_cidr

  azs                 = local.azs
  private_subnets     = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
}

module "vpc_endpoints" {
  source = "../../modules/vpc-endpoints"

  vpc_id = module.vpc.vpc_id

  ssm = {
      service             = "ssm"
      private_dns_enabled = true
      subnet_ids          = module.vpc.private_subnets
    },

  create_security_group      = true
  security_group_name_prefix = "${local.name}-vpc-endpoints-"
  security_group_description = "VPC endpoint security group"
  security_group_rules = {
    ingress_https = {
      description = "HTTPS from VPC"
      cidr_blocks = [module.vpc.vpc_cidr_block]
    }
  }

  security_group_tags = {
    Name = "the-name-I-want"
  }

Expected behavior

The Name tag of the vpc endpoint security group should be: "the-name-I-want"

Actual behavior

The Name tag of the vpc endpoint security group is: "ex-complete-vpc-endpoints-"

Terminal Output Screenshot(s)

module.vpc.module.vpc_interface_endpoints.aws_security_group.this[0]
...
tags = {
        "Name"        = "ex-complete-vpc-endpoints-"
}
tags_all = {
        "Name"        = "ex-complete-vpc-endpoints-"
}

Additional context

As suggested in #1233 and #1231, changing the precedence of the merge function on the aws_security_group resource tags would allow a user to pass in a Name tag to the security group.