there is a different prefix of arn between china region and other region

[jumping]

I searched the codes under the builtin/provides/aws, found there are hardcode the prefix of arn. Like as "arn:aws:", but the china region has another prefix "arn:aws-cn:". Is it possible to do any change ?

➜  aws git:(master) pwd
/tmp/terraform/builtin/providers/aws
➜  aws git:(master) grep arn:aws *.go|grep -v _test.go
resource_aws_cloudfront_origin_access_identity.go:  d.Set("iam_arn", fmt.Sprintf("arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity %s", *resp.CloudFrontOriginAccessIdentity.Id))
resource_aws_db_event_subscription.go:  arn := fmt.Sprintf("arn:aws:rds:%s:%s:es:%s", region, customerAwsId, subscriptionId)
resource_aws_db_instance.go:    arn := fmt.Sprintf("arn:aws:rds:%s:%s:db:%s", region, accountID, identifier)
resource_aws_db_option_group.go:    arn := fmt.Sprintf("arn:aws:rds:%s:%s:og:%s", region, accountid, identifier)
resource_aws_db_parameter_group.go: arn := fmt.Sprintf("arn:aws:rds:%s:%s:pg:%s", region, accountID, d.Id())
resource_aws_db_security_group.go:  arn := fmt.Sprintf("arn:aws:rds:%s:%s:secgrp:%s", region, accountID, d.Id())
resource_aws_db_subnet_group.go:    arn := fmt.Sprintf("arn:aws:rds:%s:%s:subgrp:%s", region, accountID, d.Id())
resource_aws_ecs_service.go:    if strings.HasPrefix(d.Get("task_definition").(string), "arn:aws:ecs:") {
resource_aws_ecs_service.go:    if strings.HasPrefix(d.Get("cluster").(string), "arn:aws:ecs:") {
resource_aws_ecs_service.go:        if strings.HasPrefix(d.Get("iam_role").(string), "arn:aws:iam:") {
resource_aws_ecs_service.go:// arn:aws:iam::0123456789:role/EcsService
resource_aws_ecs_service.go:// arn:aws:ecs:us-west-2:0123456789:cluster/radek-cluster
resource_aws_elasticache_cluster.go:    arn := fmt.Sprintf("arn:aws:elasticache:%s:%s:cluster:%s", region, accountID, d.Id())
resource_aws_lambda_permission.go:var LambdaFunctionRegexp = `^(arn:aws:lambda:)?([a-z]{2}-[a-z]+-\d{1}:)?(\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\$LATEST|[a-zA-Z0-9-_]+))?$`
resource_aws_lambda_permission.go:  if strings.HasPrefix(d.Get("function_name").(string), "arn:aws:lambda:") {
resource_aws_rds_cluster_parameter_group.go:    arn := fmt.Sprintf("arn:aws:rds:%s:%s:cluster-pg:%s", region, accountID, d.Id())
resource_aws_redshift_cluster.go:   arn := fmt.Sprintf("arn:aws:redshift:%s:%s:cluster:%s", region, accountid, identifier)
resource_aws_s3_bucket.go:  d.Set("arn", fmt.Sprint("arn:aws:s3:::", d.Id()))
validators.go:  pattern := `^(arn:aws:lambda:)?([a-z]{2}-[a-z]+-\d{1}:)?(\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\$LATEST|[a-zA-Z0-9-_]+))?$`
validators.go:  pattern := `^arn:aws:([a-zA-Z0-9\-])+:([a-z]{2}-[a-z]+-\d{1})?:(\d{12})?:(.*)$`

[pdecat]

Here is a quick fix based on v0.6.16 that works for the aws_db_instance resource:

diff --git a/builtin/providers/aws/resource_aws_db_instance.go b/builtin/providers/aws/resource_aws_db_instance.go
index bc8cec6..1436ca7 100644
--- a/builtin/providers/aws/resource_aws_db_instance.go
+++ b/builtin/providers/aws/resource_aws_db_instance.go
@@ -1005,6 +1005,12 @@ func buildRDSARN(identifier string, meta interface{}) (string, error) {
        }
        userARN := *resp.User.Arn
        accountID := strings.Split(userARN, ":")[4]
-       arn := fmt.Sprintf("arn:aws:rds:%s:%s:db:%s", region, accountID, identifier)
+       var partition string
+       if region == "cn-north-1" {
+               partition = "aws-cn"
+       } else {
+               partition = "aws"
+       }
+       arn := fmt.Sprintf("arn:%s:rds:%s:%s:db:%s", partition, region, accountID, identifier)
        return arn, nil
 }

[tony612]

+1 for this problem

[svperfecta]

@PxSonny and I are seeing this right now for an issue we're dealing with too. Within China, although Terraform creates the resources fine, we're seeing the following in our .tfstate file (relevant sections only):

Actual:

"aws_db_instance.default": {
    "type": "aws_db_instance",
    "primary": {
        "attributes": {
            "arn": "arn:aws:rds:cn-north-1:1234:db:name",
        },
    },
},
"aws_db_subnet_group.default": {
    "type": "aws_db_subnet_group",
    "primary": {
        "attributes": {
            "arn": "arn:aws:rds:cn-north-1:1234:subgrp:name",
        },
    },
},

Expected:

"aws_db_instance.default": {
    "type": "aws_db_instance",
    "primary": {
        "attributes": {
            "arn": "arn:aws-cn:rds:cn-north-1:1234:db:name",
        },
    },
},
"aws_db_subnet_group.default": {
    "type": "aws_db_subnet_group",
    "primary": {
        "attributes": {
            "arn": "arn:aws-cn:rds:cn-north-1:1234:subgrp:name",
        },
    },
},

What's interesting is that many other resources seem to handle this case fine.

[svperfecta]

@jumping A humble suggestion, would it be possible to change the title of this ticket to "AWS Partition not set in China for aws_db_instance and aws_db_subnet_group"

[svperfecta]

hey @jumping Did you want to submit a pull request?

[PxSonny]

Any news here? :o

[nealmchugh]

I believe this affects us-gov-west-1 as well. It has an ARN layout like:

arn:aws-us-gov:iam::account_number:role/name_of_role

Trying to attach that IAM role to an EC2 instance works fine (as well as Redshift in us-east-1), but Redshift in Terraform fails it for what I suspect is the same reason as this issue.

Edit: I want to clarify I've only seen the ARN issue on Redshift Cluster IAM resource attaching in us-gov-west-1

[PxSonny]

Hello, this issue has been fixed in Terraform 0.7.6
#9273
I think you can close this one.

[joelittlejohn]

I think this still needs to be fixed for S3. In #7309 (comment) @jumping mentioned this line:

terraform/builtin/providers/aws/resource_aws_s3_bucket.go

Line 908 in 5a87cd3

d.Set("arn", fmt.Sprint("arn:aws:s3:::", d.Id()))

and the line was not fixed by #9273.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.