Unable to create resource due aws_ssm_parameter in output value for arn missed account_id

[ghost]

This issue was originally opened by @KursLabIgor as hashicorp/terraform#22926. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.12.9
+ provider.archive v1.2.2
+ provider.aws v2.30.0
+ provider.cloudflare v1.18.1
+ provider.github v2.2.1
+ provider.local v1.3.0
+ provider.null v2.1.2
+ provider.postgresql v1.2.0
+ provider.random v2.2.1
+ provider.template v2.1.2

Terraform Configuration Files

module rds where locates secret.tf
resource "aws_ssm_parameter" "this_secret_readwrite" {
  name        = "/${replace(local.env_prefix,"-", "/")}/database/password/readwrite"
  description = "Parameter for database ${local.env_prefix} user"
  type        = "SecureString"
  value       = random_string.db_readwrite_pass.result
  tags = merge(var.common_tags, local.secret)
}
output "this_ssm_readwrite_arn" {
  value = aws_ssm_parameter.this_secret_readwrite.arn
}
main.tf
module "api_microservice" {
  source = "./modules/microservice"
 // code before 
  secrets =  [
    {
      name ="DB_PASSWORD", valueFrom = module.rds2_api_service.this_ssm_readwrite_arn
    },
    {
      name ="BROKER_PASS", valueFrom = module.rabbitmq_instance.ssm_parameter_arn_rabbitmq_admin_pass
    }
  ]
// code after
}

Debug Output

2019/09/27 14:10:02 [ERROR] module.api_microservice: eval: *terraform.EvalSequence, err: ClientException: The Systems Manager parameter ARN specified for secret DB_PASSWORD has a different account ID than the current account. The current account ID is XXXXXXXXX and the ARN account ID is . Cross-account access for ARNs is not currently supported.
        status code: 400, request id: fb14d105-54aa-4bdb-9ab3-1f8725af83c1
2019/09/27 14:10:02 [TRACE] [walkApply] Exiting eval tree: module.api_microservice.aws_ecs_task_definition.this_task_definition

Crash Output

no

Expected Behavior

Configuration same as for terraform 0.11. But for 0.12 doesnt work.
SSM_PARAMETER ARN should be like
"arn:aws:ssm:region:aws_account_id:parameter/parameter_name"

Actual Behavior

Error: ClientException: The Systems Manager parameter ARN specified for secret BROKER_PASS has a different account ID than the current account. The current account ID is XXXXXXXX and the ARN account ID is . Cross-account access for ARNs is not currently supported.
        status code: 400, request id: 97198d39-6f8f-42d8-b775-1fb555009b62

  on modules/microservice/task_definition.tf line 7, in resource "aws_ecs_task_definition" "this_task_definition":
   7: resource "aws_ecs_task_definition" "this_task_definition" {

Seem like in ARN account id is empty .
During plan i see ARN like:

+ secrets           = [
                      + {
                          + name      = "DB_PASSWORD"
                          + valueFrom = "arn:aws:ssm:us-west-2::parameter/x/x/api/database/password/readwrite"
                        },
                      + {
                          + name      = "BROKER_PASS"
                          + valueFrom = "arn:aws:ssm:us-west-2::parameter/x/x/rabbitmq/admin/pass"
                        },
                    ]

Actual ARN:
"arn:aws:ssm:region::parameter/parameter_name"
account_id - is missed

Steps to Reproduce

1. create SSM resource
2. add arn as output value
3. Inspect arn

Additional Context

See AWS docs secrets section
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_security

References

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!