Open ryancausey opened 9 months ago
Voting for Prioritization
Volunteering to Work on This Issue
This is also effecting me. If you use the aws_ram_sharing_with_organization
to enable RAM sharing on your org, then a subsequent run will result in changes to the aws_organizations_organization
resource, e.g.
Terraform will perform the following actions:
# aws_organizations_organization.this will be updated in-place
~ resource "aws_organizations_organization" "this" {
~ aws_service_access_principals = [
- "ram.amazonaws.com",
# (1 unchanged element hidden)
]
id = "...hidden"
# (9 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
what's funny is I tried to enable RAM sharing by adding "ram.amazonaws.com" as a service access prinicpal to the aws_organizations_organization
first, but it was not adequate [The RAM console settings page did not show "Enable sharing with AWS Organizations " being checked, and principal associations within the org wouldn't work]. So I stumbled upon this aws_ram_sharing_with_organization
and it worked, but creates this cycle.
I suspect this has to do with the warning on the orginizations_organization resource page: "We recommend that you enable integration between AWS Organizations and the specified AWS service by using the console or commands that are provided by the specified service...."
I'm using 5.39.1 of the AWS provider.
as a workaround I add "ram.amazonaws.com" to the service access principal after applying the aws_ram_sharing_with_organization
resource. which is manual and kills the ability to automate the bootstrapping of an org. I guess I also could use a ignore_changes lifecycle on aws_service_access_principals
but has its own drawbacks.
please advise/clarify re: proper usage of aws_ram_sharing_with_organization
Same for aws_servicecatalog_organizations_access
resource.
@justinretzolk
In my opinion, AWS provider should separate a new resource for trusted access management from the aws_organizations_organization
resource. (something like aws_organizations_organization_trusted_access_service_principal
)
The AWS API (aws CLI) also separates the create-organization
and enable-aws-service-access
functions.
Terraform Core Version
v1.5.7
AWS Provider Version
v5.32.0
Affected Resource(s)
Expected Behavior
The
aws_organizations_organization
resource should not continuously try to remove the service principals added by theaws_ram_sharing_with_organization
resource.Actual Behavior
The
aws_organizations_organization
resource continuously removes the service principals added by theaws_ram_sharing_with_organization
resource on one plan/apply cycle. Then, on the next plan/apply cycle, theaws_ram_sharing_with_organization
resource is re-created. This starts the cycle anew.Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
Steps to Reproduce
aws_organizations_organization
resource report that it needs to remove the ram.amazonaws.com value from the aws_service_access_principals attribute.Debug Output
No response
Panic Output
No response
Important Factoids
The aws_ram_sharing_with_organization docs specifically say:
References
No response
Would you like to implement a fix?
None