terraform-provider-aws: TGW multi-provider aws_ram_resource_share_accepter cannot find invitation

This issue was originally opened by @mitucsaki as hashicorp/terraform#25023. It was migrated here as a result of the provider split. The original body of the issue is below.

Creating a TGW across 4 accounts. I am using the provider mark to switch accounts. organization RAM sharing is off and TGW auto-accept is also turned off for security. RAM external principals = true:

Account 1 creates the TGW and RAM association. Associates the TGW and creates the ram principals with account 2 and account 3 Account 2 uses aws_ram_resource_share_accepter to accept the ram invitation Account 3 uses aws_ram_resource_share_accepter to accept the ram invitation

resource "aws_ram_resource_association" "ram_tgw_associate" {
  provider = aws.account_1

  depends_on = [aws_ec2_transit_gateway.tgw]

  resource_arn       = aws_ec2_transit_gateway.tgw.arn
  resource_share_arn = aws_ram_resource_share.ram.id
}

resource "aws_ram_principal_association" "tgw_ram_principal_account_2" {
  provider = aws.account_1

  depends_on = [aws_ram_resource_association.ram_tgw_associate]

  principal          = data.aws_caller_identity.aws.account_2.account_id
  resource_share_arn = aws_ram_resource_share.ram.id
}
resource "aws_ram_principal_association" "tgw_ram_principal_account_3" {
  provider = aws.account_1

  depends_on = [aws_ram_resource_association.ram_tgw_associate]

  principal          = data.aws_caller_identity.aws.account_3.account_id
  resource_share_arn = aws_ram_resource_share.ram.id
}

resource "aws_ram_resource_share_accepter" "tgw_ram_accept_account_2" {
  provider = aws.account_2

  share_arn = aws_ram_principal_association.tgw_ram_principal_account_2.resource_share_arn
}

resource "aws_ram_resource_share_accepter" "tgw_ram_accept_account_3" {
  provider = aws.account_3

  share_arn = aws_ram_principal_association.tgw_ram_principal_account_3.resource_share_arn
}

Expected Behaviour

Both Accounts successfully accept the invitation and TF continues

Actual behavior:

Account 2 successfully accepts and has the invitation approved: aws_ram_resource_share_accepter. tgw_ram_accept_account_2: Creation complete after 1s [id=arn:aws:ram:ca-central-1:OMITTED:resource-share/resource-id-here-omitted

Account 3 gives an error saying it cannot find the resource share id: however in the AWS Console the invitation is accepted and valid and I can see it being shared from terraform. Looks like TF fails to acknowledge that the creation is completed.

Error retrieving resource shares: UnknownResourceException: ResourceShare arn:aws:ram:ca-central-1:OMITTED:resource-share/resource-id-here-omitted could not be found

Other Notes

I’ve gone through the TGW Example of sharing, however here I am using more providers and my organization does not allow RAM sharing directly, therefore I have to include this extra step + the external principals

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 34
  • Comments: 36

Most upvoted comments

I’ve fixed the aws_ram_resource_share_accepter resource’s eventual consistency problems so please upvote the PR for the faster review! 🙏

https://github.com/hashicorp/terraform-provider-aws/pull/17032

+17
shuheiktgw on Jan 9, 2021

Can also confirm am experiencing this problem with latest AWS provider and TF version. I see the invitation, if I accept I can then import the resource. Strange because the invitation is clearly there but TF is reporting that it can’t find it.

+5
bee-keeper on Nov 10, 2020

I am facing the similar issue, but I think it’s more of a issue with aws resource share than providers. In my case I am doing :

  1. Create Transit Gateway and RAM resource share with this TG in parent account. (This Works Fine!!)
  2. Share RAM resource with children accounts and attach VPCs of children accounts to this TG in parent account. I referred to AWS and Terraform documentation where they mentioned that resource share propagation takes some time, hence I added time_sleep resource of 2 mins after invitation is sent and before invitation accepted. Just after 2 mins of wait, invitation is accepted and I can see in child account that it is moved from Pending to Active status but next moment terraform plan fails with error : Error: error retrieving resource shares: UnknownResourceException: ResourceShare arn:aws🐏eu-west-1:11111111111:resource-share/abc-123-xyz could not be found. even though arn is valid and TF code accepted it. If same code is rerun, then apply fails with error that there is no invitation to accept, which is valid as in first run itself invitation was accepted. Hence looks like some glitch Terraform that it is not able to see that valid invitation and arn is accepted but still it is failing for invalid resource. Request you to have a look at it on priority. version : 12.20
+4
raut02a on Jun 12, 2020

Any specific reason, you have used aws_ram_principal_association.ram_principal.id instead of aws_ram_principal_association.ram_principal.resource_share_arn in triggers ? If you have used resource_share_arn then you don’t need element,split function in accept. But I think, that does not work, gives UnknowResourceException ?

+1
raut02a on Jun 16, 2020
Read more comments on GitHub
← terraform-provider-aws: terraform tells me The argument "region" is required, but was not set.
terraform-provider-aws: transport connection broken: too many transfer encodings["chunked" "chunked"] →