ARN attribute may contain incorrect AWS account ID for shareable resources

[ewbankkit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

AWS Provider v3.22.0.

Various resources (and data sources) for a number of AWS services include a computed arn resource that is synthesized in the resource's Read code rather than being set from relevant AWS API call's response (as the AWS API response does not include an ARN property). This page is a good starting point for finding the correct ARN format for such resources.
For shareable resources the account ID should be the ID of the AWS account that owns the resource, however in many such cases we are incorrectly setting the account ID field to the ID of the AWS account that is running Terraform. While these two account IDs are equal for resources that are actually created, they will be different for data sources (and resources that adopt resources, such as aws_default_route_table) if Terraform is run in the AWS account that the resource is shared into I.e. NOT the account that the corresponding resource was created in and subsequently shared from).

A typical incorrect pattern is

terraform-provider-aws/aws/data_source_aws_vpc.go

Lines 192 to 199 in 04e3b27

	arn := arn.ARN{
	Partition: meta.(*AWSClient).partition,
	Service: "ec2",
	Region: meta.(*AWSClient).region,
	AccountID: meta.(*AWSClient).accountid,
	Resource: fmt.Sprintf("vpc/%s", d.Id()),
	}.String()
	d.Set("arn", arn)

whereas a correct pattern is:

terraform-provider-aws/aws/data_source_aws_security_group.go

Lines 102 to 109 in 04e3b27

	arn := arn.ARN{
	Partition: meta.(*AWSClient).partition,
	Service: "ec2",
	Region: meta.(*AWSClient).region,
	AccountID: *sg.OwnerId,
	Resource: fmt.Sprintf("security-group/%s", *sg.GroupId),
	}.String()
	d.Set("arn", arn)

(apart from from the raw pointer dereference: #12992).

Affected Resource(s)

• aws_ec2_capacity_reservation

  • Add owner_id
  • Correct arn - can be API response

• aws_licensemanager_license_configuration

  • Add owner_account_id
  • Add arn

• aws_ami (and friends)

  • Add owner_id

• aws_vpc/aws_default_vpc

  • Correct arn

• aws_ec2_carrier_gateway

  • Correct arn

• aws_vpc_dhcp_options

  • Correct arn

• aws_vpc_endpoint

  • Correct arn

• aws_internet_gateway

  • Correct arn

• aws_network_acl/aws_default_network_acl

  • Correct arn

• aws_route_table/aws_default_route_table

  • Correct arn

• aws_ec2_traffic_mirror_session

  • Add owner_id
  • Correct arn

• aws_ec2_traffic_mirror_target

  • Add owner_id
  • Correct arn

Relates: #13624.

[shuheiktgw]

• aws_ec2_capacify_reservation: resource/aws_ec2_capacity_reservation: Fix to set ARN from its response and add owner_id attribute #17129

[shuheiktgw]

• aws_licensemanager_license_configuration: resource/aws_licensemanager_license_configuration: Add arn and owner_account_id attributes #17160

[shuheiktgw]

• aws_ami: resource/aws_ami: Add owner_id attribute #17178

[shuheiktgw]

• aws_vpc: aws_vpc: Correct the ARN account id #17729

[shuheiktgw]

• aws_ec2_carrier_gateway: aws_ec2_carrier_gateway: Correct the ARN account id #17736

[shuheiktgw]

• aws_vpc_dhcp_options: aws_vpc_dhcp_options: Correct the ARN account id #17758

[shuheiktgw]

• aws_vpc_endpoint: aws_vpc_endpoint: Correct the ARN account id #17782

[shuheiktgw]

• aws_internet_gateway: aws_internet_gateway: Correct the ARN account id #17803

[shuheiktgw]

• aws_network_acl/aws_default_network_acl: aws_network_acl: Correct the ARN account id #17834

[shuheiktgw]

• aws_ec2_traffic_mirror_session: resource_aws_ec2_traffic_mirror_session: Correct ARN #17938

[shuheiktgw]

• aws_ec2_traffic_mirror_target: aws_ec2_traffic_mirror_target: Correct arn #17973

The last one! 🎉 Thank you for your review, @ewbankkit!

[breathingdust]

Hi @shuheiktgw! Thanks for all your work on this issue. 🚀 I've been trying to find your contact details, if you had a moment would you be able to email me at the address in my profile? Thank you!

[shuheiktgw]

@breathingdust Sure! I just sent you an email so would you check your inbox?

[ewbankkit]

The final affected resource will be corrected with Terraform AWS Provider v3.35.0.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!