[Bug]: aws_datasync_location_efs ARN failes regex?

[bitstrike]

Terraform Core Version

1.3.9

AWS Provider Version

4.45.0

Affected Resource(s)

I'm trying to create aws_datasync_location_efs but receive the error below[1] ('efsFilesystemArn' failed to satisfy constraint). The Value output in the error message appears to be missing the aws acccount id. I don't know if this is done for security, or if this is a bug in plain sight.

As shown in the example code I've tried using the file_system_arn of my_target1 however the error is the same. My last resort was to see if a data statement on my_target1 may work but it generates the same error.

I've not been using TF long, but bleary-eyed from wrestling with this. Apologies if this is user error. I'm certainly stumped and the error seems to be saying the regex and ARN do not agree. Both of which are generated/used by the module.

efs.tf bits: filesystem

resource "aws_efs_file_system" "my_efs" {
   creation_token           = "${var.my_project}-efs"
   encrypted                = true
   kms_key_id               = data.aws_kms_key.my_kms_key.arn
   performance_mode         = "generalPurpose"
   throughput_mode          = "bursting"
}

mount target 1 (target 2 is defined the same)

resource "aws_efs_mount_target" "my_target1" {
   file_system_id  = aws_efs_file_system.my_efs.id
   subnet_id       = module.vpc.private_subnets[0]
   security_groups = [aws_security_group.my_efs-sg.id]
}

last resort data statement:

data "aws_efs_mount_target" "by_id" {
  mount_target_id = aws_efs_mount_target.my_target1.id
}

datasync location:

resource "aws_datasync_location_efs" "example" {
  efs_file_system_arn   = data.aws_efs_mount_target.by_id.file_system_arn

  ec2_config {
    security_group_arns = [aws_security_group.my_efs-sg.arn]
    subnet_arn          = module.vpc.private_subnet_arns[0]
  }
}

[1]

Error: creating DataSync Location EFS: ValidationException: 1 validation error detected: Value 'arn:aws:elasticfilesystem:us-east-1::file-system/fs-092f027800bf84a67' at 'efsFilesystemArn' failed to satisfy constraint: Member must satisfy regular expression pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):elasticfilesystem:[a-z\-0-9]+:[0-9]{12}:file-system/fs-[0-9a-f]{8,40}$status code: 400, request id: 1296afac-5125-4b7a-9b9e-d73820a6ce45 with aws_datasync_location_efs.example,
on efs.tf line 78, in resource "aws_datasync_location_efs" "example":
 78: resource "aws_datasync_location_efs" "example" {

Expected Behavior

aws_datasync_location_efs should have been created

Actual Behavior

Error generated about regex filtering on the filesystem ARN

Relevant Error/Panic Output Snippet

� Error: creating DataSync Location EFS: ValidationException: 1 validation error detected: Value 'arn:aws:elasticfilesystem:us-east-1::file-system/fs-092f027800bf84a67' at 'efsFilesystemArn' failed to satisfy constraint: Member must satisfy regular expression pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):elasticfilesystem:[a-z\-0-9]+:[0-9]{12}:file-system/fs-[0-9a-f]{8,40}$
�       status code: 400, request id: 1296afac-5125-4b7a-9b9e-d73820a6ce45
�
�   with aws_datasync_location_efs.example,
�   on efs.tf line 78, in resource "aws_datasync_location_efs" "example":
�   78: resource "aws_datasync_location_efs" "example" {

Terraform Configuration Files

# EFS filesystem for container to mount /mnt/something 
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system_policy
# create EFS for website files - (TODO: DataSync from S3 bucket)
resource "aws_efs_file_system" "my_efs" {
   creation_token           = "${var.my_project}-efs"
   encrypted                = true
   kms_key_id               = data.aws_kms_key.my_kms_key.arn
   performance_mode         = "generalPurpose"
   throughput_mode          = "bursting"

   tags = {
      Name                  = "${var.my_project}-efs"
      project               = "${var.my_project}"
      environment           = "${var.my_environment}"
   }
}

resource "aws_efs_file_system_policy" "my_policy" {
  file_system_id                      = aws_efs_file_system.my_efs.id
  bypass_policy_lockout_safety_check  = true

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Id": "${var.my_project}-efs-pol",
    "Statement": [
      {
        "Sid"       : "${var.my_project}-efs-pol-sid",
        "Effect"    : "Allow",
        "Principal" : {
                          "AWS" : "*"
        },
        "Action"    : [
                          "elasticfilesystem:ClientMount",
                          "elasticfilesystem:ClientWrite",
                          "elasticfilesystem:ClientRootAccess",
                          "elasticfilesystem:DescribeMountTargets"                        
        ],
        "Resource"  : "${aws_efs_file_system.my_efs.arn}",
        "Condition" : {
                        "Bool": {
                          "aws:SecureTransport"                     : "true",
                          "elasticfilesystem:AccessedViaMountTarget": "true"
                         }
        }
      }
    ]
}
POLICY

# no tags
}

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target#security_groups
# TODO: loop over subnets??
resource "aws_efs_mount_target" "my_target1" {
   file_system_id  = aws_efs_file_system.my_efs.id
   subnet_id       = module.vpc.private_subnets[0]
   security_groups = [aws_security_group.my_efs-sg.id]
   # no tags
}
resource "aws_efs_mount_target" "my_target2" {
   file_system_id  = aws_efs_file_system.my_efs.id
   subnet_id       = module.vpc.private_subnets[1]
   security_groups = [aws_security_group.my_efs-sg.id]
   # no tags
}

data "aws_efs_mount_target" "by_id" {
  mount_target_id = aws_efs_mount_target.my_target1.id
}

/* something wacky using file_system_arn 
Error: creating DataSync Location EFS: ValidationException: 1 validation error detected: Value 'arn:aws:elasticfilesystem:us-east-1::file-system/fs-0d5b67a50ea988fb6' at 'efsFilesystemArn' failed to satisfy constraint: Member must satisfy regular expression pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):elasticfilesystem:[a-z-0-9]+:[0-9]{12}:file-system/fs-[0-9a-f]{8,40}$ status code: 400, request id: e5f906d9-068b-4250-a9d7-63dd5dc813d1 with aws_datasync_location_efs.example, on efs.tf line 71, in resource "aws_datasync_location_efs" "example": 71: resource "aws_datasync_location_efs" "example" {
*/
resource "aws_datasync_location_efs" "example" {
  efs_file_system_arn   = data.aws_efs_mount_target.by_id.file_system_arn

  ec2_config {
    security_group_arns = [aws_security_group.my_efs-sg.arn]
    subnet_arn          = module.vpc.private_subnet_arns[0]
  }
}

Steps to Reproduce

terraform apply

Debug Output

tf_debug.json.zip

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.