Cannot destroy aws_ram_resource_share_accepter from member account when share contains some resource types

[lorengordon]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

$ terraform -v
Terraform v0.15.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.39.0
+ provider registry.terraform.io/hashicorp/random v3.1.0

Affected Resource(s)

• aws_ram_resource_share_accepter

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

provider "aws" {
  profile = "resource-member"
}

provider "aws" {
  alias   = "owner"
  profile = "resource-owner"
}

resource "aws_ram_resource_share_accepter" "member" {
  share_arn = aws_ram_principal_association.invite.resource_share_arn
}

resource "aws_ram_principal_association" "invite" {
  provider = aws.owner

  principal          = data.aws_caller_identity.member.account_id
  resource_share_arn = aws_ram_resource_share.owner.arn
}

resource "aws_ram_resource_association" "query_log" {
  provider = aws.owner

  resource_arn       = aws_route53_resolver_query_log_config.this.arn
  resource_share_arn = aws_ram_resource_share.owner.arn
}

resource "aws_ram_resource_share" "owner" {
  provider = aws.owner

  name                      = local.name
  allow_external_principals = true
}

resource "aws_route53_resolver_query_log_config" "this" {
  provider = aws.owner

  name            = local.name
  destination_arn = aws_s3_bucket.query_log.arn
}

resource "aws_s3_bucket" "query_log" {
  provider = aws.owner

  force_destroy = true
}

resource "random_string" "this" {
  length  = 6
  upper   = false
  special = false
  number  = false
}

locals {
  name = "tf-test-resource-share-${random_string.this.result}"
}

data "aws_caller_identity" "member" {}

output "ram_share_arn" {
  value = aws_ram_resource_share.owner.arn
}

Expected Behavior

Terraform should be able to destroy the resources without error.

Actual Behavior

│ Error: Error leaving RAM resource share: OperationNotPermittedException: You cannot leave resource share arn:aws:ram:us-east-1:<ACCOUNT-ID>:resource-share/<SHARE-ID>. The share contains resources of the following resource types, which don't support this action: [route53resolver:ResolverQueryLogConfig]. Contact the resource share owner to be removed from the share.

Steps to Reproduce

1. terraform apply
2. terraform destroy

Workaround

1. terraform state rm aws_ram_resource_share_accepter.member
2. terraform destroy

Important Factoids

I've been in communication with AWS Support about a related issue where issuing the Disassociate command from the member account would claim to succeed but do nothing in the member account and actually leave the association in an error state in the owner account (preventing any further attempts to Disassociate from the owner account). It seems they have decided to update the API to simply fail.

Because success depends on the resources in the share, I would suggest trying the Disassociate command. However, if this specific error occurs then the accepter should simply be removed from state without error. The owner would then be able to Disassociate the principal successfully.

AWS currently offers no API that would allow the member to Disassociate successfully. In a call with the AWS service team, they indicated they are working on supporting it internally, so trying and passing on this specific error would allow the command to succeed when they do add that support.

Here is the list of impacted resources they gave me. When shared, these will all cause the Disassociate to fail from the member account:

• ACM PCA
• CodeBuild (Projects, Report Groups)
• Image Builder (Components, Images, Image recipes)
• Network Firewall (firewall policies, Rule groups)
• AppMesh
• Route53 resolver query log config
• Resource Groups (supports only dedicated hosts)
• Glue (catalogs, databases, tables )

[lorengordon]

@bill-rich Wouldn't this be a bug instead of an enhancement? You can't destroy the resource without failing, and it's perfectly reproducible with this config. Though, not sure if bug would raise the priority, so maybe it doesn't matter.

[YakDriver]

NOTE, upstream is not meant to indicate we have no role here. upstream here means that we can gracefully handle the newly returned upstream error.

@lorengordon Thanks for the great repro! The detail will help make this easier to fix.

[kbalk]

#19718

[github-actions]

This functionality has been released in v3.49.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.