Error: Provider configuration not present.

[alienvera]

While using an AWS provider alias for cross account resource creation with assume role, the product gets build successfully. However, when terminating the product, it will drop the error asking to re-add the second provider alias leaving the resources orphan.

Error: Provider configuration not present

To work with aws_ec2_transit_gateway_route.spoke_to_vpn_route (orphan) its

original provider configuration at

provider["registry.terraform.io/hashicorp/aws"].network_account is required,

but it has been removed. This occurs when a provider configuration is removed

while objects created by that provider still exist in the state. Re-add the

provider configuration to destroy

Is this part of the limitation, or could there be a way around it?

[smaly-amazon]

Hi @alienvera,

Thanks for bringing this up. Yes, the engine has a limitation that only the provider "aws" is supported.

When Service Catalog sends a Terminate message to the engine, it does not include the artifact download URI and parameters from the previous operation. So the engine generates the provider override file using the "aws" provider, but it doesn't have the configuration files to also get other providers.

This isn't explained in the Readme. We can add it.

Also, we can discuss this case with the Service Catalog team. The engine could be updated to persist the configuration and parameters from the previous operation, or Service Catalog could be updated to include these in Terminate messages.

[alienvera]

Thank you very much for the reply. We are just using the "aws" provider across the board but it totally makes sense what you just described. If the engine could be updated to extend this functionality, it will be great, especially for the cross account resource creation using multiple aws provider with alias.

[wellsiau-aws]

@alienvera , if you don't mind to share the high level use-case for Service Catalog product that requires cross-account access. I can think of 1-2 example, but I love to hear direct customer feedback about your use case.

[alienvera]

@wellsiau-aws The use case for a hub and spoke architecture with a Network and sharing services account doing outbound/inbound traffic inspection to many accounts's vpcs with a transit GW. The spoke account vpc terraform code needs to build all of the network constructs but also, update the TGW route tables at the hub account. We do this by using provider alias with assume role.

[frankbranham]

I have a different use case. I need to create a Bitbucket repo as part of a catalog entry. It would be nice to have access to the Terraform BB provider to do that instead of hacking it with a Lambda.

[stevemckenney]

Just spent the last two days trying to work around this as well.

Our use case is deploying an alb with a certificate for a web redirect. Our Route53 zones are in another account, so we need to provide an alias with that information so the ACM cert can create the needed domain verification records AND to create the needed records for the redirect in DNS/Route53.

In my testing so far i have verified that trying to do a destroy with the artifact in place (as in an apply) validates the providers successfully. I'm currently attempting to hard code this in the write_provider_override section of the override_manager.py so i can test it within the actual service catalog workflow

[juliennowak]

My workaround for this issue was to automatically create a providers.tf file containing the the aliased providers' configuration in the workspace directory.

In _overridemanager.py :

def write_additional_providers(workspace_dir):
    providers = f"""provider "aws" {{
  alias  = "provider_alias"
  region = "eu-central-1"

  assume_role {{
    role_arn     = "arn:aws:iam::xxxxxxxxxxxx:role/external-role"
    session_name = "session_name"
  }}
}}
"""
    with open(f"{workspace_dir}/providers.tf", "w") as tf_file:
        tf_file.write(providers) 

This file must be created before the overrides files for both creation and deletion phases. So, I've updated the main.py file accordingly :

try:
    __set_environment_variables(args)

    workspace_dir = __setup_workspace(workspace_manager)
    write_additional_providers(workspace_dir)  # Call added here
    __write_common_overrides(workspace_dir, args)

    # Perform the action
    if args.action == APPLY_ACTION:
        __perform_apply(command_manager, workspace_dir, args)
    elif args.action == DESTROY_ACTION:
        __perform_destroy(command_manager)