search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.64k stars 9.01k forks source link

[Enhancement]: Allow cross-account attachment references in aws_globalaccelerator_endpoint_group endpoint configuration #37631

Open auvik-bheesham opened 2 months ago

auvik-bheesham commented 2 months ago

Description

Currently it's not possible to reference a cross-account attachment with AWS Global Accelerator.

Right now, if you were to reference an ALB (for example) which has a cross-account attachment you run into:

2024-05-21T19:35:55.199-0400 [DEBUG] provider.terraform-provider-aws_v5.50.0_x5: HTTP Request Sent: tf_resource_type=aws_globalaccelerator_endpoint_group http.method=POST tf_provider_addr=registry.terraform.io/hashicorp/aws tf_aws.sdk=aws-sdk-go-v2 tf_rpc=ApplyResourceChange http.request.header.content_type=application/x-amz-json-1.1 http.request.header.x_amz_date=20240521T233555Z rpc.system=aws-api tf_req_id=3f2a0b3b-7516-7e60-1fac-2ed781a7b1bb @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.53/logging/tf_logger.go:45
  http.request.body=
  | {"EndpointConfigurations":[{"ClientIPPreservationEnabled":true,"EndpointId":"arn:aws:elasticloadbalancing:us-east-1:REMOTE:loadbalancer/app/.../...","Weight":127}],"EndpointGroupArn":"arn:aws:globalaccelerator::LOCAL:accelerator/.../listener/.../endpoint-group/...","HealthCheckIntervalSeconds":30,"HealthCheckPath":"/","HealthCheckPort":443,"HealthCheckProtocol":"HTTPS","PortOverrides":[],"ThresholdCount":3,"TrafficDialPercentage":100}
   rpc.method=UpdateEndpointGroup http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.8.3 (+https://www.terraform.io) terraform-provider-aws/5.50.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.26.2 os/macos lang/go#1.22.2 md/GOOS#darwin md/GOARCH#arm64 api/globalaccelerator#1.23.3" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************.../20240521/us-west-2/globalaccelerator/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=*****" http.request.header.x_amz_target=GlobalAccelerator_V20180706.UpdateEndpointGroup http.request.header.amz_sdk_request="attempt=1; max=25" rpc.service="Global Accelerator" http.request.header.amz_sdk_invocation_id=7dff402a-928c-4517-a211-4d0412e384c6 aws.region=us-west-2 http.request.header.x_amz_security_token="*****" http.url=https://globalaccelerator.us-west-2.amazonaws.com/ net.peer.name=globalaccelerator.us-west-2.amazonaws.com tf_aws.signing_region="" @module=aws http.request_content_length=539 tf_mux_provider="*schema.GRPCProviderServer" timestamp=2024-05-21T19:35:55.199-0400
2024-05-21T19:35:55.831-0400 [DEBUG] provider.terraform-provider-aws_v5.50.0_x5: HTTP Response Received:
  http.response.body=
  | {"__type":"InvalidArgumentException","Message":"The cross-account attachment ARN is null or empty for the following cross-account endpoint: arn:aws:elasticloadbalancing:us-east-1:REMOTE:loadbalancer/app/.../..."}

Potentially the cause: AttachmentArn is missing from the AWS API call. Repeating here for convenience:

http.request.body=
  | {"EndpointConfigurations":[{"ClientIPPreservationEnabled":true,"EndpointId":"arn:aws:elasticloadbalancing:us-east-1:REMOTE:loadbalancer/app/.../...","Weight":127}],"EndpointGroupArn":"arn:aws:globalaccelerator::LOCAL:accelerator/.../listener/.../endpoint-group/...","HealthCheckIntervalSeconds":30,"HealthCheckPath":"/","HealthCheckPort":443,"HealthCheckProtocol":"HTTPS","PortOverrides":[],"ThresholdCount":3,"TrafficDialPercentage":100}

(AWS SDK docs for type EndpointConfiguration).

Trying to use this as-is results in the following error:

aws_globalaccelerator_endpoint_group.example: Modifying... [id=arn:aws:globalaccelerator::LOCAL:accelerator/.../listener/.../endpoint-group/...]
╷
│ Error: updating Global Accelerator Endpoint Group (arn:aws:globalaccelerator::LOCAL:accelerator/.../listener/.../endpoint-group/...): operation error Global Accelerator: UpdateEndpointGroup, https response error StatusCode: 400, RequestID: e1990b12-1e36-40f5-b6b4-a9f5e684aa2e, InvalidArgumentException: The cross-account attachment ARN is null or empty for the following cross-account endpoint: arn:aws:elasticloadbalancing:us-east-1:REMOTE:loadbalancer/app/.../...
│ 
│   with aws_globalaccelerator_endpoint_group.example,
│   on accelerator.tf line 34, in resource "aws_globalaccelerator_endpoint_group" "example":
│   34: resource "aws_globalaccelerator_endpoint_group" "example" {

Affected Resource(s) and/or Data Source(s)

Potential Terraform Configuration

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.50.0"
    }
  }
}

resource "aws_globalaccelerator_endpoint_group" "example" {
  provider              = aws.local
  listener_arn          = aws_globalaccelerator_listener.example.id
  health_check_protocol = "HTTPS"
  endpoint_configuration {
    client_ip_preservation_enabled = true
    endpoint_id                    = module.remote.alb.arn # Output: data.aws_lb.alb
    weight                         = 127
  }
}

References

Would you like to implement a fix?

None

github-actions[bot] commented 2 months ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

pancake62 commented 1 month ago

I've been struggling with this for a couple months using aws_ccc variant.

auvik-bheesham commented 4 weeks ago

Yeah, I've noticed awscc has some weirdness with these resources, in particular:

But anyways, I just noticed some related tickets/MRs: