terraform-aws-ipam icon indicating copy to clipboard operation
terraform-aws-ipam copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

Failure to use module with resource dependencies: 'operating_regions' must include us-east-1

Open vinelias opened this issue 10 months ago • 1 comments

Hi folks! I'm trying to use this module with a 'depends_on' statement. I want to use a cross-account provider to delegate the IPAM service to my 'Network" account. It's not a requirement in this case, I can create the IPAM pools and delegate the organization service after that, but would be nice if we could have it working.

Here you can see a code snippet:

resource "aws_organizations_delegated_administrator" "ipam" {
  provider = aws.org-management

  account_id        = data.aws_caller_identity.current.account_id
  service_principal = "ipam.amazonaws.com"
}

module "ipam" {
  source  = "aws-ia/ipam/aws"
  version = "2.1.0"
  depends_on = [aws_organizations_delegated_administrator.ipam]
...

The error is:

Error: operating_regions must include us-east-1
│ 
│   with module.ipam.aws_vpc_ipam.main[0],
│   on .terraform/modules/ipam/main.tf line 27, in resource "aws_vpc_ipam" "main":
│   27: resource "aws_vpc_ipam" "main" {
│

Terraform version: 1.5.0

My suggestion is create a variable to inform the main region statically, it will avoid problems with depends_on statement and data resources inside the module. I did some changes locally and it seems to work fine.

--- a/main.tf
+++ b/main.tf
@@ -19,7 +19,7 @@ locals {
 
   # its possible to create pools in all regions except the primary, but we must pass the primary region
   # to aws_vpc_ipam.operating_regions.region_name
-  operating_regions = distinct(concat(local.all_locales, [data.aws_region.current.name]))
+  operating_regions = distinct(concat(local.all_locales, [var.ipam_main_region == "" ? data.aws_region.current.name : var.ipam_main_region]
))
 }
 
 data "aws_region" "current" {}
diff --git a/variables.tf b/variables.tf
index 86d814f..ef18d53 100644
--- a/variables.tf
+++ b/variables.tf
@@ -130,6 +130,15 @@ variable "ipam_scope_type" {
   }
 }
 
+variable "ipam_main_region" {
+  description = <<-EOF
+    It is possible to create pools in all regions except the main, but we must pass the primary region.
+    You can use this variable to specify the main region, or you can leave it blank to use the region for the current provider.
+  EOF
+  type        = string
+  default     = ""
+}
+

Thanks in advance

vinelias avatar Apr 20 '24 16:04 vinelias

Making it a list of strings of regions would be nice. Currently the module requires you to set up a pool in each region you operate, our use case is a single pool that covers multiple regions.

fsmedw avatar Jul 10 '24 09:07 fsmedw