The issue occurred because AWS automatically attaches the default VPC security group to an Interface endpoint when no SGs are specified at creation. The module previously relied on replace_default_association to swap it out for the desired SG. This worked only on the first run - subsequent runs failed because the default SG was no longer attached.

Changes

1. Attach first SG at creation time
   • Added security_group_ids to aws_vpc_endpoint.interface_endpoint with the first SG from var.interface_vpc_endpoints.
   • Prevents AWS from attaching the default SG and removes the need for replace_default_association.
2. Limit SG associations to index > 0
   • Updated security_group_associations_list and security_group_associations_map locals to only include SGs beyond the first one.
   • Ensures Terraform doesn’t try to re-attach the already-attached first SG.
3. Remove replace_default_association
   • Association resources now only attach additional SGs.
   • Eliminates fragile "replace default" logic that failed on repeated applies.

Benefits

• Idempotent applies — no more failing after the first run.
• Simpler logic — no special-case handling for the default SG.
• Clean AWS state — the default SG is never attached in the first place.

Testing

• Applied changes in a test environment with multiple endpoints and SGs.
• Verified that:
  • First SG is attached at endpoint creation.
  • Additional SGs are attached via association resources.
  • No errors occur on repeated terraform apply runs.