hashicorp · ewbankkit · Oct 1, 2024 · May 3, 2024 · Sep 26, 2024 · Sep 26, 2024
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_globalaccelerator_endpoint_group: Add attachment_arn as a new (optional) field inside endpoint_configuration
+```
@@ -5,10 +5,13 @@ package globalaccelerator
 
 import (
 	"context"
+	"errors"
+	"fmt"
 	"log"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
 	"github.com/aws/aws-sdk-go-v2/service/globalaccelerator"
 	awstypes "github.com/aws/aws-sdk-go-v2/service/globalaccelerator/types"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
@@ -68,6 +71,11 @@ func resourceEndpointGroup() *schema.Resource {
 							Optional:     true,
 							ValidateFunc: validation.IntBetween(0, 255),
 						},
+						"attachment_arn": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: validation.StringLenBetween(1, 255),
+						},
 					},
 				},
 			},
@@ -230,8 +238,13 @@ func resourceEndpointGroupRead(ctx context.Context, d *schema.ResourceData, meta
 		return sdkdiag.AppendFromErr(diags, err)
 	}
 
+	crossAccountResources, err := getCrossAccountAttachementsFromResources(ctx, conn, endpointGroup.EndpointDescriptions)
+	if err != nil {
+		return sdkdiag.AppendFromErr(diags, err)
+	}
+
 	d.Set(names.AttrARN, endpointGroup.EndpointGroupArn)
-	if err := d.Set("endpoint_configuration", flattenEndpointDescriptions(endpointGroup.EndpointDescriptions)); err != nil {
+	if err := d.Set("endpoint_configuration", flattenEndpointDescriptions(endpointGroup.EndpointDescriptions, crossAccountResources)); err != nil {
 		return sdkdiag.AppendErrorf(diags, "setting endpoint_configuration: %s", err)
 	}
 	d.Set("endpoint_group_region", endpointGroup.EndpointGroupRegion)
@@ -384,6 +397,10 @@ func expandEndpointConfiguration(tfMap map[string]interface{}) *awstypes.Endpoin
 		apiObject.Weight = aws.Int32(int32(v))
 	}
 
+	if v, ok := tfMap["attachment_arn"].(string); ok && v != "" {
+		apiObject.AttachmentArn = aws.String(v)
+	}
+
 	return apiObject
 }
 
@@ -457,7 +474,7 @@ func expandPortOverrides(tfList []interface{}) []awstypes.PortOverride {
 	return apiObjects
 }
 
-func flattenEndpointDescription(apiObject *awstypes.EndpointDescription) map[string]interface{} {
+func flattenEndpointDescription(apiObject *awstypes.EndpointDescription, crossAccountResources map[string]string) map[string]interface{} {
 	if apiObject == nil {
 		return nil
 	}
@@ -469,7 +486,11 @@ func flattenEndpointDescription(apiObject *awstypes.EndpointDescription) map[str
 	}
 
 	if v := apiObject.EndpointId; v != nil {
-		tfMap["endpoint_id"] = aws.ToString(v)
+		endpointId := aws.ToString(v)
+		tfMap["endpoint_id"] = endpointId
+		if crossAccountAttachment, ok := crossAccountResources[endpointId]; ok {
+			tfMap["attachment_arn"] = crossAccountAttachment
+		}
 	}
 
 	if v := apiObject.Weight; v != nil {
@@ -479,15 +500,15 @@ func flattenEndpointDescription(apiObject *awstypes.EndpointDescription) map[str
 	return tfMap
 }
 
-func flattenEndpointDescriptions(apiObjects []awstypes.EndpointDescription) []interface{} {
+func flattenEndpointDescriptions(apiObjects []awstypes.EndpointDescription, crossAccountResources map[string]string) []interface{} {
 	if len(apiObjects) == 0 {
 		return nil
 	}
 
 	var tfList []interface{}
 
 	for _, apiObject := range apiObjects {
-		tfList = append(tfList, flattenEndpointDescription(&apiObject))
+		tfList = append(tfList, flattenEndpointDescription(&apiObject, crossAccountResources))
 	}
 
 	return tfList
@@ -524,3 +545,62 @@ func flattenPortOverrides(apiObjects []awstypes.PortOverride) []interface{} {
 
 	return tfList
 }
+
+func listAllCrossAccountResourcesByOwner(ctx context.Context, conn *globalaccelerator.Client, accountId string) ([]awstypes.CrossAccountResource, error) {
+	accountOwnerResources := []awstypes.CrossAccountResource{}
+
+	var nextToken *string
+	for {
+		crossResourcesResult, err := conn.ListCrossAccountResources(ctx, &globalaccelerator.ListCrossAccountResourcesInput{
+			ResourceOwnerAwsAccountId: aws.String(accountId),
+			NextToken:                 nextToken,
+		})
+		if err != nil {
+			return accountOwnerResources, err
+		}
+		accountOwnerResources = append(accountOwnerResources, crossResourcesResult.CrossAccountResources...)
+
+		if crossResourcesResult.NextToken == nil {
+			break
+		}
+		nextToken = crossResourcesResult.NextToken
+	}
+
+	return accountOwnerResources, nil
+}
+
+// getCrossAccountAttachementsFromResources returns a map[endpointId]attachmentARN
+func getCrossAccountAttachementsFromResources(ctx context.Context, conn *globalaccelerator.Client, egDescriptions []awstypes.EndpointDescription) (map[string]string, error) {
+	tmpErrors := []error{}
+
+	// EndpointId -> AttachmentArn
+	result := map[string]string{}
+
+	if len(egDescriptions) == 0 {
+		return result, nil
+	}
+
+	queriedAccounts := map[string][]awstypes.CrossAccountResource{} // cache
+	for _, egDescription := range egDescriptions {
+		arn, err := arn.Parse(*egDescription.EndpointId)
+		if err != nil {
+			continue // not an arn, not a crossAccountResource
+		}
+
+		if _, ok := queriedAccounts[arn.AccountID]; !ok {
+			queriedAccounts[arn.AccountID], err = listAllCrossAccountResourcesByOwner(ctx, conn, arn.AccountID)
+			if err != nil {
+				tmpErrors = append(tmpErrors, fmt.Errorf("failed to ListCrossAccountResources for account %q: %w", arn.AccountID, err))
+			}
+		}
+
+		for _, crossAccResource := range queriedAccounts[arn.AccountID] {
+			if *crossAccResource.EndpointId == *egDescription.EndpointId {
+				result[*crossAccResource.EndpointId] = *crossAccResource.AttachmentArn
+				break
+			}
+		}
+	}
+
+	return result, errors.Join(tmpErrors...)
+}
@@ -109,6 +109,7 @@ func TestAccGlobalAcceleratorEndpointGroup_ALBEndpoint_clientIP(t *testing.T) {
 					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "endpoint_configuration.*", map[string]string{
 						"client_ip_preservation_enabled": acctest.CtFalse,
 						names.AttrWeight:                 "20",
+						"attachment_arn":                 "",
 					}),
 					resource.TestCheckTypeSetElemAttrPair(resourceName, "endpoint_configuration.*.endpoint_id", albResourceName, names.AttrID),
 					resource.TestCheckResourceAttr(resourceName, "endpoint_group_region", acctest.Region()),
@@ -429,6 +430,46 @@ func TestAccGlobalAcceleratorEndpointGroup_update(t *testing.T) {
 	})
 }
 
+func TestAccGlobalAcceleratorEndpointGroup_crossAccountAttachment(t *testing.T) {
+	ctx := acctest.Context(t)
+	var v awstypes.EndpointGroup
+	resourceName := "aws_globalaccelerator_endpoint_group.test"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(ctx, t)
+			acctest.PreCheckOrganizationsAccount(ctx, t)
+			testAccPreCheck(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.GlobalAcceleratorServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5FactoriesAlternate(ctx, t),
+		CheckDestroy:             testAccCheckEndpointGroupDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccEndpointGroupConfig_crossAccountAttachement(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckEndpointGroupExists(ctx, resourceName, &v),
+					acctest.MatchResourceAttrGlobalARN(resourceName, names.AttrARN, "globalaccelerator", regexache.MustCompile(`accelerator/[^/]+/listener/[^/]+/endpoint-group/[^/]+`)),
+					resource.TestCheckResourceAttr(resourceName, "endpoint_configuration.#", acctest.Ct1),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "endpoint_configuration.*", map[string]string{
+						"client_ip_preservation_enabled": acctest.CtFalse,
+						names.AttrWeight:                 "20",
+					}),
+					resource.TestCheckTypeSetElemAttrPair(resourceName, "endpoint_configuration.*.endpoint_id", "aws_lb.alt_test", names.AttrARN),
+					resource.TestCheckTypeSetElemAttrPair(resourceName, "endpoint_configuration.*.attachment_arn", "aws_globalaccelerator_cross_account_attachment.alt_test", names.AttrARN),
+					resource.TestCheckResourceAttr(resourceName, "endpoint_group_region", acctest.AlternateRegion()),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccCheckEndpointGroupExists(ctx context.Context, name string, v *awstypes.EndpointGroup) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[name]
@@ -874,3 +915,148 @@ resource "aws_globalaccelerator_endpoint_group" "test" {
 }
 `, rName)
 }
+
+func testAccEndpointGroupConfig_crossAccountAttachement(rName string) string {
+	return acctest.ConfigCompose(
+		acctest.ConfigAlternateAccountAlternateRegionProvider(),
+		fmt.Sprintf(`
+###############################################################################
+## alternate account setup
+###############################################################################
+
+data "aws_availability_zones" "alt_available" {
+  provider = "awsalternate"
+
+  exclude_zone_ids = ["usw2-az4", "usgw1-az2"]
+  state            = "available"
+
+  filter {
+    name   = "opt-in-status"
+    values = ["opt-in-not-required"]
+  }
+}
+
+resource "aws_vpc" "alt_test" {
+  provider = "awsalternate"
+
+  cidr_block = "10.0.0.0/16"
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_subnet" "alt_test" {
+  provider = "awsalternate"
+
+  count = 2
+
+  vpc_id            = aws_vpc.alt_test.id
+  availability_zone = data.aws_availability_zones.alt_available.names[count.index]
+  cidr_block        = cidrsubnet(aws_vpc.alt_test.cidr_block, 8, count.index)
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_lb" "alt_test" {
+  provider = "awsalternate"
+
+  name            = %[1]q
+  internal        = false
+  security_groups = [aws_security_group.alt_test.id]
+  subnets         = aws_subnet.alt_test[*].id
+
+  idle_timeout               = 30
+  enable_deletion_protection = false
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_security_group" "alt_test" {
+  provider = "awsalternate"
+
+  name   = %[1]q
+  vpc_id = aws_vpc.alt_test.id
+
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_internet_gateway" "alt_test" {
+  provider = "awsalternate"
+
+  vpc_id = aws_vpc.alt_test.id
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+resource "aws_globalaccelerator_cross_account_attachment" "alt_test" {
+  provider = "awsalternate"
+
+  name       = %[1]q
+	principals = [ data.aws_caller_identity.current.account_id ]
+
+  resource {
+    endpoint_id = aws_lb.alt_test.arn
+  }
+}
+
+
+###############################################################################
+## main account
+###############################################################################
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_globalaccelerator_accelerator" "test" {
+  name            = %[1]q
+  ip_address_type = "IPV4"
+  enabled         = false
+}
+
+resource "aws_globalaccelerator_listener" "test" {
+  accelerator_arn = aws_globalaccelerator_accelerator.test.id
+  protocol        = "TCP"
+
+  port_range {
+    from_port = 80
+    to_port   = 80
+  }
+}
+
+resource "aws_globalaccelerator_endpoint_group" "test" {
+  listener_arn = aws_globalaccelerator_listener.test.id
+
+  endpoint_configuration {
+    endpoint_id                    = aws_lb.alt_test.arn
+    attachment_arn                 = aws_globalaccelerator_cross_account_attachment.alt_test.arn
+    weight                         = 20
+    client_ip_preservation_enabled = false
+  }
+
+  endpoint_group_region = %[2]q
+}
+`, rName, acctest.AlternateRegion()),
+	)
+}
@@ -58,6 +58,7 @@ Terraform will only perform drift detection of its value when present in a confi
 **Note:** When client IP address preservation is enabled, the Global Accelerator service creates an EC2 Security Group in the VPC named `GlobalAccelerator` that must be deleted (potentially outside of Terraform) before the VPC will successfully delete. If this EC2 Security Group is not deleted, Terraform will retry the VPC deletion for a few minutes before reporting a `DependencyViolation` error. This cannot be resolved by re-running Terraform.
 * `endpoint_id` - (Optional) An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID.
 * `weight` - (Optional) The weight associated with the endpoint. When you add weights to endpoints, you configure AWS Global Accelerator to route traffic based on proportions that you specify.
+* `attachment_arn` - (Optional) An ARN of an exposed cross-account attachment. See the [AWS documentation](https://docs.aws.amazon.com/global-accelerator/latest/dg/cross-account-resources.html) for more details.
 
 `port_override` supports the following arguments:
 
@@ -104,4 +105,4 @@ Using `terraform import`, import Global Accelerator endpoint groups using the `i
 % terraform import aws_globalaccelerator_endpoint_group.example arn:aws:globalaccelerator::111111111111:accelerator/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/listener/xxxxxxx/endpoint-group/xxxxxxxx
 ```
 
-<!-- cache-key: cdktf-0.20.1 input-a99822bb8d802bdee38671c5875d85175be0aff6331a6b380641cb861eac7402 -->
+<!-- cache-key: cdktf-0.20.1 input-a99822bb8d802bdee38671c5875d85175be0aff6331a6b380641cb861eac7402 -->
@@ -45,6 +45,7 @@ Terraform will only perform drift detection of its value when present in a confi
 **Note:** When client IP address preservation is enabled, the Global Accelerator service creates an EC2 Security Group in the VPC named `GlobalAccelerator` that must be deleted (potentially outside of Terraform) before the VPC will successfully delete. If this EC2 Security Group is not deleted, Terraform will retry the VPC deletion for a few minutes before reporting a `DependencyViolation` error. This cannot be resolved by re-running Terraform.
 * `endpoint_id` - (Optional) An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID.
 * `weight` - (Optional) The weight associated with the endpoint. When you add weights to endpoints, you configure AWS Global Accelerator to route traffic based on proportions that you specify.
+*  `attachment_arn` - (Optional) An ARN of an exposed cross-account attachment. See the [AWS documentation](https://docs.aws.amazon.com/global-accelerator/latest/dg/cross-account-resources.html) for more details.
 
 `port_override` supports the following arguments: