fix: Update tags for default resources to correct spurious plan diffs (#730)

examples/complete-vpc/main.tf

@@ -32,8 +32,14 @@ module "vpc" {
 
   create_database_subnet_group = false
 
+  manage_default_network_acl = true
+  default_network_acl_tags   = { Name = "${local.name}-default" }
+
   manage_default_route_table = true
-  default_route_table_tags   = { DefaultRouteTable = true }
+  default_route_table_tags   = { Name = "${local.name}-default" }
+
+  manage_default_security_group = true
+  default_security_group_tags   = { Name = "${local.name}-default" }
 
   enable_dns_hostnames = true
   enable_dns_support   = true
@@ -62,11 +68,6 @@ module "vpc" {
   dhcp_options_domain_name         = "service.consul"
   dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
 
-  # Default security group - ingress/egress rules cleared to deny all
-  manage_default_security_group  = true
-  default_security_group_ingress = []
-  default_security_group_egress  = []
-
   # VPC Flow Logs (Cloudwatch log group and IAM role will be created)
   enable_flow_log                      = true
   create_flow_log_cloudwatch_log_group = true
@@ -187,13 +188,9 @@ data "aws_security_group" "default" {
 }
 
 # Data source used to avoid race condition
-data "aws_vpc_endpoint_service" "dynamodb" {
-  service = "dynamodb"
-
-  filter {
-    name   = "service-type"
-    values = ["Gateway"]
-  }
+data "aws_vpc_endpoint" "dynamodb" {
+  vpc_id       = module.vpc.vpc_id
+  service_name = "com.amazonaws.${local.region}.dynamodb"
 }
 
 data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
@@ -211,7 +208,7 @@ data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
       test     = "StringNotEquals"
       variable = "aws:sourceVpce"
 
-      values = [data.aws_vpc_endpoint_service.dynamodb.id]
+      values = [data.aws_vpc_endpoint.dynamodb.id]
     }
   }
 }
@@ -229,9 +226,9 @@ data "aws_iam_policy_document" "generic_endpoint_policy" {
 
     condition {
       test     = "StringNotEquals"
-      variable = "aws:sourceVpce"
+      variable = "aws:SourceVpc"
 
-      values = [data.aws_vpc_endpoint_service.dynamodb.id]
+      values = [module.vpc.vpc_id]
     }
   }
 }

outputs.tf

@@ -264,37 +264,37 @@ output "intra_route_table_ids" {
 }
 
 output "public_internet_gateway_route_id" {
-  description = "ID of the internet gateway route."
+  description = "ID of the internet gateway route"
   value       = try(aws_route.public_internet_gateway[0].id, "")
 }
 
 output "public_internet_gateway_ipv6_route_id" {
-  description = "ID of the IPv6 internet gateway route."
+  description = "ID of the IPv6 internet gateway route"
   value       = try(aws_route.public_internet_gateway_ipv6[0].id, "")
 }
 
 output "database_internet_gateway_route_id" {
-  description = "ID of the database internet gateway route."
+  description = "ID of the database internet gateway route"
   value       = try(aws_route.database_internet_gateway[0].id, "")
 }
 
 output "database_nat_gateway_route_ids" {
-  description = "List of IDs of the database nat gateway route."
+  description = "List of IDs of the database nat gateway route"
   value       = aws_route.database_nat_gateway[*].id
 }
 
 output "database_ipv6_egress_route_id" {
-  description = "ID of the database IPv6 egress route."
+  description = "ID of the database IPv6 egress route"
   value       = try(aws_route.database_ipv6_egress[0].id, "")
 }
 
 output "private_nat_gateway_route_ids" {
-  description = "List of IDs of the private nat gateway route."
+  description = "List of IDs of the private nat gateway route"
   value       = aws_route.private_nat_gateway[*].id
 }
 
 output "private_ipv6_egress_route_ids" {
-  description = "List of IDs of the ipv6 egress route."
+  description = "List of IDs of the ipv6 egress route"
   value       = aws_route.private_ipv6_egress[*].id
 }
 

variables.tf

@@ -388,6 +388,12 @@ variable "manage_default_route_table" {
   default     = false
 }
 
+variable "default_route_table_name" {
+  description = "Name to be used on the default route table"
+  type        = string
+  default     = null
+}
+
 variable "default_route_table_propagating_vgws" {
   description = "List of virtual gateways for propagation"
   type        = list(string)
@@ -667,7 +673,7 @@ variable "manage_default_vpc" {
 variable "default_vpc_name" {
   description = "Name to be used on the Default VPC"
   type        = string
-  default     = ""
+  default     = null
 }
 
 variable "default_vpc_enable_dns_support" {
@@ -703,7 +709,7 @@ variable "manage_default_network_acl" {
 variable "default_network_acl_name" {
   description = "Name to be used on the Default Network ACL"
   type        = string
-  default     = ""
+  default     = null
 }
 
 variable "default_network_acl_tags" {
@@ -1035,13 +1041,13 @@ variable "manage_default_security_group" {
 variable "default_security_group_name" {
   description = "Name to be used on the default security group"
   type        = string
-  default     = "default"
+  default     = null
 }
 
 variable "default_security_group_ingress" {
   description = "List of maps of ingress rules to set on the default security group"
   type        = list(map(string))
-  default     = null
+  default     = []
 }
 
 variable "enable_flow_log" {
@@ -1053,7 +1059,7 @@ variable "enable_flow_log" {
 variable "default_security_group_egress" {
   description = "List of maps of egress rules to set on the default security group"
   type        = list(map(string))
-  default     = null
+  default     = []
 }
 
 variable "default_security_group_tags" {