AWS Account ID not allowed - Leading 0 account number

[rhardingpax8]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.3
hashicorp/aws v3.7.0

Affected Resource(s)

• aws_provider
• module creation

Terraform Configuration Files

I have a setup which has worked successfully for 35/37 accounts i have created the structure for, but the only two accounts which are causing me issue contain a leading 0 in their account number, so wonder if there is something perculiur with terraform not recognising leading 0's in the number variable data type when passed to a provider

Tree Structure

├── accounts #many accounts
    ├── AWS-ACCOUNT-001
│       └── prod #many environments
│           ├── backend_role.tfvars
│           ├── main.tf
│           ├── prod.tfvars
│           └── versions.tf
├── module #Common code for all accounts to use
│   ├── configuration.tf
│   ├── main.tf
│   ├── variables.tf
│   └── versions.tf

File where the variables are assigned vales

#accounts/AWS-ACCOUNT-001/prod/prod.tfvars

account_number = SOME_ACCOUNT

File where the role is declared

#accounts/AWS-ACCOUNT-001/prod/backend_role.tfvars

role_arn = "arn:aws:iam::ACCOUNT_NUMBER:role/SomeRole"

File where the module will locate the modules tf

#accounts/AWS-ACCOUNT-001/prod/main.tf

module "terraform-setup" {
  source = "../../../module"

  role_arn       = var.role_arn
  account_number = var.account_number
}

variable "account_number" {
  type        = number
  description = "Which AWS account to operate in?"
}

variable "role_arn" {
  type        = string
  description = "role assumed by the aws provider to do the actual work"
}

File where the provider is declared

#modules/configuration.tf

provider "aws" {

  alias = "account"

  region = var.region

  allowed_account_ids = [var.account_number]

  assume_role {
    # From backend_role.tfvars
    role_arn = var.role_arn
  }

  version = "~> 3.0"
}

Debug Output

Panic Output

Expected Behavior

Able to perform a plan successfully, which will give an output of the resources to be created

Actual Behavior

Received the following error code

Error: AWS Account ID not allowed: SOME_ACCOUNT #Account has leading 0

Steps to Reproduce

cd "accounts/AWS-ACCOUNT-001/prod
terraform init
terraform plan -out="./accounts/AWS-ACCOUNT-001/prod/prod.tfplan" \
                -var-file="./prod.tfvars" \
                -var-file="./backend_role.tfvars"

Try to perform a plan with an account that has a leading 0 as a number data type
Pass the role_arn (string), and account_number (number) to the module/configuration.tf

Important Factoids

References

• #0000

[trevorrea]

Hi,

I am seeing a variation of this too. I was able to work around it in one instance by quoting the account number.

The issue I am seeing is that the leading zero is being silently dropped. Code to reproduce:-

data "aws_iam_policy_document" "lambda_ecs_deploy_assume_policy" {
  statement {
    actions = [
      "sts:AssumeRole"
    ]
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${var.account_ids.management}:root"]
    }
  }
}

Plan output:-

 # aws_iam_role.lambda_ecs_deploy[0] will be created
  + resource "aws_iam_role" "lambda_ecs_deploy" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = "arn:aws:iam::11111111111:root"
                        }
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + max_session_duration  = 3600
      + name                  = "rep-integration-lambda-ecs-deploy"
      + path                  = "/"
      + tags                  = {
          + "Environment" = "integration"
          + "Project"     = "rep"
        }
      + unique_id             = (known after apply)
    }

Terraform v0.13.2
hashicorp/aws v3.6.0
hashicorp/random v2.3.0
hashicorp/archive v1.3.0

The real account number is 011111111111 (well obviously not but I'm not pasting the real one here)

Debug output - https://gist.github.com/trevorrea/5f27c9ccae96b94eb6704aca0367cddd

Thanks,
Trevor

[gdavison]

Thanks for the update, @robh-wirehive. Since variable "account_number" is declared as type = number, it's stripping the leading 0. If you use type = string, it should work as expected.

@trevorrea, I suspect a similar problem in your case.

[rhardingpax8]

Hi @gdavison - thanks for the reply. I can confirm that setting the variable "account_number" to type = string does resolve the issue for the two accounts i have with leading 0 account numbers

[gdavison]

Great news!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!