Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Terraform wrongly assumes arn to be always be arn:aws (govcloud uses arn:aws-us-gov) #10061

Closed
jc-m opened this issue Nov 11, 2016 · 6 comments · Fixed by #11339
Closed

Terraform wrongly assumes arn to be always be arn:aws (govcloud uses arn:aws-us-gov) #10061

jc-m opened this issue Nov 11, 2016 · 6 comments · Fixed by #11339

Comments

@jc-m
Copy link

jc-m commented Nov 11, 2016

The following code:

d.Set("arn", fmt.Sprint("arn:aws:s3:::", d.Id()))

d.Set("arn", fmt.Sprint("arn:aws:s3:::", d.Id()))

wrongly assumes that the arn is always aws. In govcloud region, it is aws-us-gov

Terraform Version

Terraform v0.7.8

Affected Resource(s)

-aws_s3_bucket
-maybe others

Terraform Configuration Files

resource "aws_s3_bucket" "test" {
  provider = "aws"
  bucket = "bucket-test"
  region = "us-gov-west-1"
  acl = "private"
}

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

state show aws_s3_bucket.test with the correct arn:
arn = arn:aws-us-gov:s3:::bucket-test

Actual Behavior

arn = arn:aws:s3:::bucket-test

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply
@jc-m
Copy link
Author

jc-m commented Jan 21, 2017

Just as an update - this also breaks the capability to use kms_key_id in aws_ebs_volume.

I wonder why this issue is ignored - see http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-arns

the assumptions are wrong - this breaks in govcloud and china region.

@grubernaut
Copy link
Contributor

Hi @jc-m, thanks for the issue!

I'll make sure this is prioritized early next week and we'll internally begin to put together a solution for you. Sorry for the delay!

@jc-m
Copy link
Author

jc-m commented Jan 22, 2017

Hi @grubernaut - sorry for the push - i patched terraform to use a map for the namespaces - but i think it might be useful to have a data source which provides this information in addition to internally changing few regexp and sprintf. There are few other peculiarities in each zones that might be helpful to give visibility into (endpoints is one of them)

@radeksimko
Copy link
Member

Also it's not just S3, to address this problem through the provider I think we'll need to go through all of these:

$ grep -R --exclude=\*_test.go 'arn:aws:' ./builtin/providers/aws/*
./builtin/providers/aws/data_source_aws_billing_service_account.go:	d.Set("arn", "arn:aws:iam::"+billingAccountId+":root")
./builtin/providers/aws/data_source_aws_elb_service_account.go:		d.Set("arn", "arn:aws:iam::"+accid+":root")
./builtin/providers/aws/resource_aws_cloudfront_origin_access_identity.go:	d.Set("iam_arn", fmt.Sprintf("arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity %s", *resp.CloudFrontOriginAccessIdentity.Id))
./builtin/providers/aws/resource_aws_ecs_service.go:	if strings.HasPrefix(d.Get("task_definition").(string), "arn:aws:ecs:") {
./builtin/providers/aws/resource_aws_ecs_service.go:	if strings.HasPrefix(d.Get("cluster").(string), "arn:aws:ecs:") {
./builtin/providers/aws/resource_aws_ecs_service.go:		if strings.HasPrefix(d.Get("iam_role").(string), "arn:aws:iam:") {
./builtin/providers/aws/resource_aws_ecs_service.go:// arn:aws:iam::0123456789:role/EcsService
./builtin/providers/aws/resource_aws_ecs_service.go:// arn:aws:ecs:us-west-2:0123456789:cluster/radek-cluster
./builtin/providers/aws/resource_aws_iam_saml_provider.go:	// arn:aws:iam::123456789012:saml-provider/tf-salesforce-test
./builtin/providers/aws/resource_aws_iam_saml_provider.go:	r := regexp.MustCompile("^arn:aws:iam::[0-9]{12}:saml-provider/(.+)$")
./builtin/providers/aws/resource_aws_lambda_permission.go:var LambdaFunctionRegexp = `^(arn:aws:lambda:)?([a-z]{2}-[a-z]+-\d{1}:)?(\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\$LATEST|[a-zA-Z0-9-_]+))?$`
./builtin/providers/aws/resource_aws_lambda_permission.go:	if strings.HasPrefix(d.Get("function_name").(string), "arn:aws:lambda:") {
./builtin/providers/aws/resource_aws_s3_bucket.go:	d.Set("arn", fmt.Sprint("arn:aws:s3:::", d.Id()))
./builtin/providers/aws/resource_aws_sns_topic_policy.go:	// arn:aws:sns:us-west-2:123456789012:test-new
./builtin/providers/aws/resource_aws_sns_topic_policy.go:	re := regexp.MustCompile("^arn:aws:sns:[^:]+:([0-9]{12}):.+")
./builtin/providers/aws/validators.go:	pattern := `^(arn:aws:lambda:)?([a-z]{2}-[a-z]+-\d{1}:)?(\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\$LATEST|[a-zA-Z0-9-_]+))?$`
./builtin/providers/aws/validators.go:	pattern := `^arn:aws:([a-zA-Z0-9\-])+:([a-z]{2}-[a-z]+-\d{1})?:(\d{12})?:(.*)$`

@ghost
Copy link

ghost commented Apr 17, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants