How to register targets in NLB from vpc endpoint interface ids?

[80kk]

I am trying to setup NLB for AWS Transfer Server, however I stuck on target register step as TF outputs IPs in eni-xyz format only. How can I get IPs from ENI ids to use them as a targets?

main.tf

resource "aws_transfer_server" "transfer_server" {
  identity_provider_type = "API_GATEWAY"
  endpoint_type          = "VPC_ENDPOINT"
  endpoint_details {
    vpc_endpoint_id = aws_vpc_endpoint.transfer_server.id
  }

  logging_role           = aws_iam_role.transfer_server-role.arn
  url                    = var.api_url
  invocation_role        = aws_iam_role.transfer_server_invocation-role.arn
  tags                   = var.tags

  depends_on = [aws_vpc_endpoint.transfer_server]
}

resource "aws_vpc_endpoint" "transfer_server" {
  vpc_id              = var.vpc_id
  service_name        = "com.amazonaws.${var.region}.transfer.server"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = var.public_subnet_ids
  private_dns_enabled = true
  security_group_ids  = [aws_security_group.transfer_server.id]
}

resource "aws_security_group" "transfer_server" {
  name        = join("", [var.tags.Environment, "-transfer_server"])
  description = "allows access to SFTP"
  vpc_id      = var.vpc_id

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    description = "allows port 22 to be accessed from local VPC and the internet"
    cidr_blocks = concat(var.allowed_pub_cidrs, var.allowed_priv_cidrs)
    self        = true
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = var.tags
}

NLB

resource "aws_eip" "eip_nlb" {
  count = length(var.public_subnet_ids)
  vpc = true
}

resource "aws_lb" "sftp-nlb" {
  name                       = join("", [var.tags.Environment, "-sftp-nlb"])
  internal                   = false
  load_balancer_type         = "network"
  enable_deletion_protection = false
  idle_timeout               = 180
  tags                       = var.tags

  dynamic "subnet_mapping" {
    for_each = var.subnet_mapping

    content {
      subnet_id     = subnet_mapping.value.subnet_id
      allocation_id = lookup(subnet_mapping.value, "allocation_id", null)
    }
  }
}

resource "aws_lb_target_group" "sftp-nlb-target-group" {
  name        = join("", [var.tags.Environment, "-sftp"])
  port        = 22
  protocol    = "TCP"
  target_type = "ip"
  vpc_id      = var.vpc_id
  tags        = var.tags
}

resource "aws_lb_listener" "sftp-nlb-listener" {
  load_balancer_arn  = aws_lb.sftp-nlb.arn
  port               = 22
  protocol           = "TCP"
  default_action {
    target_group_arn = aws_lb_target_group.sftp-nlb-target-group.arn
    type             = "forward"
  }
}

vars.tf

output "transfer_server_id" {
  value = aws_transfer_server.transfer_server.id
}

output "transfer_server_endpoint" {
  value = aws_transfer_server.transfer_server.endpoint
}

output "vpc_endpoint_transferserver_network_interface_ids" {
  description = "One or more network interfaces for the VPC Endpoint for transferserver"
  value       = flatten(aws_vpc_endpoint.transfer_server.*.network_interface_ids)
}

[ashish30jain]

You can retrieve it from data
data "aws_network_interface" "sftp_nics" { id = aws_network_interface.id

[80kk]

You can retrieve it from data
data "aws_network_interface" "sftp_nics" { id = aws_network_interface.id

no, that doesn't work.

[ashish30jain]

resource "aws_lb_target_group_attachment" "sftp" {
target_group_arn = aws_lb_target_group.sftp.arn
target_id = data.aws_network_interface.sftp_nics.private_ip
port = 22
}
https://www.terraform.io/docs/providers/aws/d/network_interface.html#private_ip
I have tested and using this for a while.

[davepattie]

Try this:
data "aws_network_interface" "endpoint_nic0" {
id = tolist(aws_vpc_endpoint.endpoint.network_interface_ids)[0]
}

data "aws_network_interface" "endpoint_nic1" {
id = tolist(aws_vpc_endpoint.endpoint.network_interface_ids)[1]
}

resource "aws_lb_target_group_attachment" "nic0" {
target_group_arn = element(module.nlb.elb_target_group_arn, count.index)
target_id = data.aws_network_interface.endpoint_nic0.private_ip

count = length(module.nlb.elb_target_group_arn)
}

resource "aws_lb_target_group_attachment" "nic1" {
target_group_arn = element(module.nlb.elb_target_group_arn, count.index)
target_id = data.aws_network_interface.endpoint_nic1.private_ip

count = length(module.nlb.elb_target_group_arn)
}

[apogorielov]

You can do an indirect loop here using your var.public_subnet_ids from the aws_vpc_endpoint

data "aws_network_interface" "sftp_nics" {
   count = length(var.public_subnet_ids)
   id =  flatten(aws_vpc_endpoint.transfer_server.*.network_interface_ids)[count.index]
   depends_on = [aws_vpc_endpoint.transfer_server]
}

output "privateIP" {
  value = data.aws_network_interface.sftp_nics.*.private_ips
}

privateIP = [
  [
    "192.168.11.157",
  ],
  [
    "192.168.57.6",
  ],
  [
    "192.168.1.249",
  ],
]

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.