[Enhancement]: Allow ARN as identifier for aws_ec2_tag resource

[C-Duv]

Description

_TL;DR: I have 2 AWS accounts, one creating resources and tagging them then sharing them to the other account using AWS RAM and generating a file containing maps of tags per resource's ARN. But aws_ec2_tag do not accept resource ARN (it needs resource ID). Please add support for ARN._

I would like to suggest improvement on how aws_ec2_tag is given instruction on which resource to tag. I think it should accept ARN identifiers.

My use-case is:

Network team in charge of the AWS infrastructure creates some resources in their "network" AWS account. They also and tag and share them with a second "application" account (for the Application team) using AWS RAM/Resource Access Manager.

Because tags are not shared from one account to another, Application team need to (re-)tag those same resources.

So network team also generates a (YAML) file using the aws_resourcegroupstaggingapi_resources data source where each key is the ARN of a resource and the value is a map of the tags applied to said resource:

Example of file:

"arn:aws:ec2:eu-west-1:690910532991:subnet/subnet-000d48157436895af":
  "Acme:Creator:Tool": "Terraform"
  "Acme:For:Client": "Acme"
  "Acme:For:Environment": "Production"
  "Acme:For:Module": "Infrastructure"
  "Acme:For:Project": "Website"
  "Name": "sn-web-zone-a-website_prod"
"arn:aws:ec2:eu-west-3:690910532991:vpc-peering-connection/pcx-63976331eac92878c":
  "Acme:Creator:Tool": "Terraform"
  "Acme:For:Client": "Acme"
  "Acme:For:Environment": "Production"
  "Acme:For:Module": "Infrastructure"
  "Acme:For:Project": "Website"
  "Name": "vpc_peering-website_x_monitoring"

The best (only) way to re-tag thoses ram-obtained resources is the aws_ec2_tag, but it only accepts IDs, not ARN.

On the other side, the aws_resourcegroupstaggingapi data source only exports ARNs, not IDs.

If I try to pass an ARN to aws_ec2_tag as resource_id argument, it fails with:

aws_ec2_tag.test_tag: Creating...
╷
│ Error: creating ec2 resource (arn:aws:ec2:eu-west-3:690910532991:vpc-peering-connection/pcx-63976331eac92878c) tag (Acme:Creator:Tool): tagging resource (arn:aws:ec2:eu-west-3:690910532991:vpc-peering-connection/pcx-63976331eac92878c): tagging resource (arn:aws:ec2:eu-west-3:690910532991:vpc-peering-connection/pcx-63976331eac92878c): operation error EC2: CreateTags, https response error StatusCode: 400, RequestID: 0532c625-9f36-535d-929f-26cb2feb797f, api error InvalidID: The ID 'arn:aws:ec2:eu-west-3:690910532991:vpc-peering-connection/pcx-63976331eac92878c' is not valid
│ 
│   with aws_ec2_tag.test_tag,
│   on resource-tagger.tf line 24, in resource "aws_ec2_tag" "test_tag":
│   24: resource "aws_ec2_tag" "test_tag" {

Affected Resource(s) and/or Data Source(s)

• aws_ec2_tag

Potential Terraform Configuration

resource "aws_ec2_tag" "test_tag" {
  resource_arn = "arn:aws:ec2:eu-west-3:690910532991:vpc-peering-connection/pcx-63976331eac92878c"
  key = "Acme:Creator:Tool"
  value = "Terraform"
}

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.