-
Notifications
You must be signed in to change notification settings - Fork 9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
error associating RAM Resource Share #7632
Comments
I see the same error when I pass Account ID / Org ID / OU-ID as a principal.
module.txgw_resource_share.aws_ram_principal_association.txgw_ram_principal_association: 1 error(s) occurred: aws_ram_principal_association.txgw_ram_principal_association: Error associating principal with RAM resource share: InvalidParameterException: Principal ID XXXXXXXXXX is malformed. Verify the ID and try again. |
Actually I'm also confused why we pass an ID when the name is ARN. |
I tried to pass ARN in place of ID and it errored out: Error: Error: Error running plan: 2 error(s) occurred:
module.txgw_resource_share.aws_ram_principal_association.txgw_ram_principal_association: Resource 'aws_ram_resource_share.txgw_ram_resource_share' does not have attribute 'arn' for variable 'aws_ram_resource_share.txgw_ram_resource_share.arn'
module.txgw_resource_share.aws_ram_resource_association.txgw_ram_resource_association: Resource 'aws_ram_resource_share.txgw_ram_resource_share' does not have attribute 'arn' for variable 'aws_ram_resource_share.txgw_ram_resource_share.arn' � |
exactly. |
I submitted adding an |
That match expression should be extended to allow o-/ou- strings: |
@tbugfinder I was able to get past the "malformed principal" issue by providing the ARN of Org/OU instead of ID. i.e. arn:aws:organizations::XXXXXXX:ou/o-XXXX/ou-XXXX inplace of (o-xxxxxxx/ou-xxxxxxx) and it worked. I'd recommend trying it out on your end if that is the case with you as well. |
@anupkandpile I confirm that string is valid! Thank you very much. |
Although I think that the console also accept short strings of the ARN. |
…ld be ARNs not IDs Reference: #7632 Output from acceptance testing: ``` --- PASS: TestAccAwsRamPrincipalAssociation_disappears (14.65s) --- PASS: TestAccAwsRamPrincipalAssociation_basic (16.24s) ```
Pull request submitted to update the documentation to use ARNs instead of IDs as well as add validation for the argument (account ID or ARN): #8048 The API Reference gives no guidance on the parameter, but the web console may be looking up the ID and expanding it to the full ARN before creating the request. We typically do not support those type of cross-service API calls in resources as they can be problematic and introduce complexity we (in both the code maintainer and practitioner sense) would like to avoid. FYI, the regex noted in the comment above (#7632 (comment)) is only used after successful association creation and is used to bypass waiting for the pending association to complete in the case you specify an external account ID as the principal. Otherwise, it would never be possible for us to create a separate association "accepter" resource. For full context: |
The documentation and validation updates have been merged and will release with version 2.4.0 of the Terraform AWS Provider, likely in the next two days. 👍 |
This has been released in version 2.4.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
Hello |
Hi @Math1er 👋 Your Organization ARN should be of the form:
I grabbed the above in my environment using the AWS CLI: |
If it still doesn't work, try enabling "Enable account sharing within your AWS organization" on the root account, in the settings of the RAM service. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Terraform Version
Terraform v0.11.8
Affected Resource(s)
Terraform Configuration Files
Just use code of the documentation pages and use principal
o-/ou-
.Debug Output
aws_ram_principal_association.example: 1 error(s) occurred:
aws_ram_principal_association.example: Error associating principal with RAM resource share: InvalidParameterException: Principal ID o-XXXXXXXX is malformed. Verify the ID and try again.
status code: 400, request id: 80e330c1-35e0-11e9-84b1-c1fca2fb946c
Panic Output
no panic
Expected Behavior
Support o-,ou- synatx.
Actual Behavior
Synatay error while using
ou- | o-
the notation of the principal fails.Steps to Reproduce
terraform apply
Important Factoids
References
The text was updated successfully, but these errors were encountered: