error associating RAM Resource Share

[tbugfinder]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.8

Affected Resource(s)

• aws_ram_resource_share
• aws_ram_principal_association
• aws_ram_resource_association

Terraform Configuration Files

Just use code of the documentation pages and use principal o-/ou-.

resource "aws_ram_resource_share" "tgwshare" {
  name = "test-share1"
  allow_external_principals = false
}

resource "aws_ram_principal_association" "example" {
  principal          = "o-xxxxxxx"


  resource_share_arn = "${aws_ram_resource_share.tgwshare.id}"
}

resource "aws_ram_resource_association" "tgwassoc" {
  resource_arn       = "${aws_ec2_transit_gateway.tgw.arn}"
  resource_share_arn = "${aws_ram_resource_share.tgwshare.id}"
}

resource "aws_ec2_transit_gateway" "tgw" {
  description = "example"
}

Debug Output

• aws_ram_principal_association.example: 1 error(s) occurred:

• aws_ram_principal_association.example: Error associating principal with RAM resource share: InvalidParameterException: Principal ID o-XXXXXXXX is malformed. Verify the ID and try again.
  status code: 400, request id: 80e330c1-35e0-11e9-84b1-c1fca2fb946c

Panic Output

no panic

Expected Behavior

Support o-,ou- synatx.

Actual Behavior

Synatay error while using ou- | o- the notation of the principal fails.

Steps to Reproduce

1. terraform apply

Important Factoids

References

• Feature Request: AWS Resource Access Manager #6527

[anupkandpile]

I see the same error when I pass Account ID / Org ID / OU-ID as a principal.

resource "aws_ram_resource_share" "txgw_ram_resource_share" {`
  name                      = "${var.txgw_description}"`
  allow_external_principals = true
  tags {
    Team_ID    = "XXXXXX"
    Service_ID = "XXXXXX"
  }
}
resource "aws_ram_resource_association" "txgw_ram_resource_association" {
  resource_arn       = "${var.txgw_resource_arn}"
  resource_share_arn = "${aws_ram_resource_share.txgw_ram_resource_share.id}"
}
resource "aws_ram_principal_association" "txgw_ram_principal_association" {
  principal          = "${var.aws_org_ou_id}"
  resource_share_arn = "${aws_ram_resource_share.txgw_ram_resource_share.id}"
}
output "txgw_ram_resource_share_id" {
  value = "${aws_ram_resource_share.txgw_ram_resource_share.id}"
}

module.txgw_resource_share.aws_ram_principal_association.txgw_ram_principal_association: 1 error(s) occurred:

aws_ram_principal_association.txgw_ram_principal_association: Error associating principal with RAM resource share: InvalidParameterException: Principal ID XXXXXXXXXX is malformed. Verify the ID and try again.
status code: 400, request id: XXXXX

[tbugfinder]

Actually I'm also confused why we pass an ID when the name is ARN.
resource_share_arn = "${aws_ram_resource_share.txgw_ram_resource_share.id}"

[anupkandpile]

I tried to pass ARN in place of ID and it errored out:

Error:

Error: Error running plan: 2 error(s) occurred:

• module.txgw_resource_share.aws_ram_principal_association.txgw_ram_principal_association: 1 error(s) occurred:

module.txgw_resource_share.aws_ram_principal_association.txgw_ram_principal_association: Resource 'aws_ram_resource_share.txgw_ram_resource_share' does not have attribute 'arn' for variable 'aws_ram_resource_share.txgw_ram_resource_share.arn'

• module.txgw_resource_share.aws_ram_resource_association.txgw_ram_resource_association: 1 error(s) occurred:

module.txgw_resource_share.aws_ram_resource_association.txgw_ram_resource_association: Resource 'aws_ram_resource_share.txgw_ram_resource_share' does not have attribute 'arn' for variable 'aws_ram_resource_share.txgw_ram_resource_share.arn'

�

[tbugfinder]

exactly.

[bflad]

I submitted adding an arn attribute here: #7634

[tbugfinder]

That match expression should be extended to allow o-/ou- strings:
https://github.com/terraform-providers/terraform-provider-aws/blob/c7d129e27f601973b00e1f17bc70c1782d56c2c9/aws/resource_aws_ram_principal_association.go#L65

[anupkandpile]

@tbugfinder I was able to get past the "malformed principal" issue by providing the ARN of Org/OU instead of ID. i.e. arn:aws:organizations::XXXXXXX:ou/o-XXXX/ou-XXXX inplace of (o-xxxxxxx/ou-xxxxxxx) and it worked.

I'd recommend trying it out on your end if that is the case with you as well.

[tbugfinder]

@anupkandpile I confirm that string is valid! Thank you very much.

[tbugfinder]

Although I think that the console also accept short strings of the ARN.

[bflad]

Pull request submitted to update the documentation to use ARNs instead of IDs as well as add validation for the argument (account ID or ARN): #8048

The API Reference gives no guidance on the parameter, but the web console may be looking up the ID and expanding it to the full ARN before creating the request. We typically do not support those type of cross-service API calls in resources as they can be problematic and introduce complexity we (in both the code maintainer and practitioner sense) would like to avoid.

FYI, the regex noted in the comment above (#7632 (comment)) is only used after successful association creation and is used to bypass waiting for the pending association to complete in the case you specify an external account ID as the principal. Otherwise, it would never be possible for us to create a separate association "accepter" resource. For full context:

https://github.com/terraform-providers/terraform-provider-aws/blob/b4d6106a4e17f428c137c3cf9ccc3abc229c1f00/aws/resource_aws_ram_principal_association.go#L44-L74

[bflad]

The documentation and validation updates have been merged and will release with version 2.4.0 of the Terraform AWS Provider, likely in the next two days. 👍

[bflad]

This has been released in version 2.4.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[Math1er]

Hello
I have a question regarding this topic.
I don't have OU in my Organisation.
I try to provide the ARN of my Organization without OU and it's doesn't work (Terraform provider =2.4.0)
arn:aws:organizations::XXXXXXXXXXXX:ou/o-XXXXXXXXXX
and also
arn:aws:organizations::XXXXXXXXXXXX:ou/o-XXXXXXXXXX/r-XXXX
Did the aws_ram_principal_association ressources can work without OU?
Regards,

[bflad]

Hi @Math1er 👋 Your Organization ARN should be of the form:

arn:aws:organizations::XXXXXXXXXXXX:organization/o-XXXXXXXX

I grabbed the above in my environment using the AWS CLI: aws organizations describe-organization

[mrg2k8]

If it still doesn't work, try enabling "Enable account sharing within your AWS organization" on the root account, in the settings of the RAM service.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!