-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_appmesh_mesh data source not working for shared meshes #21202
Comments
We've got the same issue with the data "aws_appmesh_virtual_service" "service_name" {
name = "service_name.${var.service_discovery_namespace}"
mesh_name = var.appmesh_name
mesh_owner = var.appmesh_owner
} The error occurs:
Terraform CLI and Terraform AWS Provider Version
It seems there is no way to use
|
We are facing this in even in AWS provider version 4.49 and terraform version 1.3.7 seems like the issue is long running? as any one found a work around for this? |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Summary
You cannot use the
aws_appmesh_mesh
datasource with shared meshes. The data source attempts to load tags for the resource based on the ARN, this fails unless the call is coming from the account that owns the mesh. In this scenario it would be better to simply omit the tags, and just return the available data.Terraform CLI and Terraform AWS Provider Version
terraform v1.0.8
provider registry.terraform.io/hashicorp/aws v3.61.0
Affected Resource(s)
Terraform Configuration Files / Steps to Reproduce
To reproduce you need two AWS accounts in the same org. The owner account and the target account.
First create an appmesh in the owner account and share with the target account via RAM. You can do this by running the following terraform in the owner account.
Then in the target account try to use the app mesh data source to access the shared mesh.
Expected Behavior
Data source should be able to load details of the mesh (possibly missing some attributes, like tags).
Actual Behavior
Get an error as per below
Additional Notes
It looks like the aws provider is using the ListTagsForResource api call under the covers. When I run this using the AWS CLI I logged in to the Target Account I see the following error
An error occurred (AccessDeniedException) when calling the ListTagsForResource operation: arn:aws:appmesh:eu-west-1:<OWNER_ACCOUNT_ID>:mesh/my-mesh is an invalid ARN. Invalid account id in the ARN provided : <OWNER_ACCOUNT_ID>
This suggests that the api won't support getting the tags from a different account, even if the mesh is shared.
The text was updated successfully, but these errors were encountered: