[Bug]: aws_organizations_organization continous change when used with aws_ram_sharing_with_organization

[ryancausey]

Terraform Core Version

v1.5.7

AWS Provider Version

v5.32.0

Affected Resource(s)

• aws_organizations_organization
• aws_ram_sharing_with_organization

Expected Behavior

The aws_organizations_organization resource should not continuously try to remove the service principals added by the aws_ram_sharing_with_organization resource.

Actual Behavior

The aws_organizations_organization resource continuously removes the service principals added by the aws_ram_sharing_with_organization resource on one plan/apply cycle. Then, on the next plan/apply cycle, the aws_ram_sharing_with_organization resource is re-created. This starts the cycle anew.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

# This is the organzation under which all the AWS accounts reside.
resource "aws_organizations_organization" "test" {
  enabled_policy_types = ["AISERVICES_OPT_OUT_POLICY"]
}

# We need this to turn on AWS RAM sharing with AWS organizations.
resource "aws_ram_sharing_with_organization" "enable_ram_sharing_in_org" {}

Steps to Reproduce

1. plan and apply the above minimal set of resources needed to reproduce the issue
2. plan a second time and see the aws_organizations_organization resource report that it needs to remove the ram.amazonaws.com value from the aws_service_access_principals attribute.

Debug Output

No response

Panic Output

No response

Important Factoids

The aws_ram_sharing_with_organization docs specifically say:

NOTE:

Use this resource to manage resource sharing within your organization, not the aws_organizations_organization resource with ram.amazonaws.com configured in aws_service_access_principals.

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[briceburg]

This is also effecting me. If you use the aws_ram_sharing_with_organization to enable RAM sharing on your org, then a subsequent run will result in changes to the aws_organizations_organization resource, e.g.

Terraform will perform the following actions:

  # aws_organizations_organization.this will be updated in-place
  ~ resource "aws_organizations_organization" "this" {
      ~ aws_service_access_principals = [
          - "ram.amazonaws.com",
            # (1 unchanged element hidden)
        ]
        id                            = "...hidden"
        # (9 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

what's funny is I tried to enable RAM sharing by adding "ram.amazonaws.com" as a service access prinicpal to the aws_organizations_organization first, but it was not adequate [The RAM console settings page did not show "Enable sharing with AWS Organizations " being checked, and principal associations within the org wouldn't work]. So I stumbled upon this aws_ram_sharing_with_organization and it worked, but creates this cycle.

I suspect this has to do with the warning on the orginizations_organization resource page: "We recommend that you enable integration between AWS Organizations and the specified AWS service by using the console or commands that are provided by the specified service...."

I'm using 5.39.1 of the AWS provider.

workaround

as a workaround I add "ram.amazonaws.com" to the service access principal after applying the aws_ram_sharing_with_organization resource. which is manual and kills the ability to automate the bootstrapping of an org. I guess I also could use a ignore_changes lifecycle on aws_service_access_principals but has its own drawbacks.

please advise/clarify re: proper usage of aws_ram_sharing_with_organization

[posquit0]

Same for aws_servicecatalog_organizations_access resource.

[posquit0]

@justinretzolk In my opinion, AWS provider should separate a new resource for trusted access management from the aws_organizations_organization resource. (something like aws_organizations_organization_trusted_access_service_principal)

The AWS API (aws CLI) also separates the create-organization and enable-aws-service-access functions.