terraform-provider-aws icon indicating copy to clipboard operation
terraform-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: aws_elb_service_account data source fails with Error: Unknown region ("me-central-1")

Open mcricker opened this issue 2 years ago • 8 comments

Terraform Core Version

Terraform v0.14.11

AWS Provider Version

v4.53.0

Affected Resource(s)

aws_elb_service_account

Expected Behavior

aws_elb_service_account data source should work for the new region me-central-1

Actual Behavior

when doing a terraform apply it fails at this block data "aws_elb_service_account" "main" { } with Error: Unknown region ("me-central-1")

Relevant Error/Panic Output Snippet

Error: Unknown region ("me-central-1")

Terraform Configuration Files

data "aws_elb_service_account" "main" { }

Steps to Reproduce

try to set up the aws_elb_service_account data source in me-central-1

Debug Output

No response

Panic Output

No response

Important Factoids

specific use case is using data.aws_elb_service_account.main.arn in a "aws_s3_bucket_policy" "allow_access_for_alb_access_logging" resource

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account#region

Would you like to implement a fix?

None

mcricker avatar Feb 09 '23 16:02 mcricker

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

github-actions[bot] avatar Feb 09 '23 16:02 github-actions[bot]

Relates: https://github.com/hashicorp/terraform-provider-aws/issues/27874.

ewbankkit avatar Feb 09 '23 18:02 ewbankkit

@mcricker Thanks for raising this issue.

For the newer Regions AWS document that service principals should be used instead of account IDs:

  • https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-bucket-permissions
  • https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy
  • https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy

The maintainers will discuss what we do with such Regions in these data sources.

ewbankkit avatar Feb 09 '23 20:02 ewbankkit

Can service principals be used in the same way for older regions as well (ie not need specific terraform for specific regions)?

mcricker avatar Feb 13 '23 10:02 mcricker

@mcricker For Redshift the AWS documentation says

For most AWS Regions, you add the Redshift service-principal name, redshift.amazonaws.com.

the exception being "opt-in" Regions where the service-principal name is redshift.<region>.amazonaws.com. For ELB there is a documented distinction between older (pre-Jakarta, December 2021) and newer Regions - older ones use the account ID, newer ones the service-principal name. I haven't checked whether or not the service-principal name works in older Regions.

ewbankkit avatar Feb 13 '23 12:02 ewbankkit

I have noticed that we don't return a Region's opt-in status from either the aws_region or aws_regions data sources. You could use a filter on the aws_regions data source and then the Terraform contains function on the resulting list of names.

ewbankkit avatar Feb 13 '23 12:02 ewbankkit

I have noticed that we don't return a Region's opt-in status from either the aws_region or aws_regions data sources. You could use a filter on the aws_regions data source and then the Terraform contains function on the resulting list of names.

I don't think that this will actually work as a way to differentiate these regions because there are older opt-in regions that do not have the same behaviour (eg me-south-1)

mcricker avatar Feb 24 '23 15:02 mcricker

In addition to the above issue, I am wondering if there is a way to check if lambdas in the region support arm64 architecture? Since this is also an issue with me-central-1

InvalidParameterValueException: Architecture "arm64" is not supported in me-central-1. Please select "x86_64" or remove the Architectures value from your request and try again

mcricker avatar Feb 24 '23 15:02 mcricker

Hi. Problem is really serious, we can not use terraform for new regions https://github.com/hashicorp/terraform-provider-aws/issues/28909

xeonic-ant avatar Mar 16 '23 13:03 xeonic-ant

Hello! Is there any update on this?

cisco-ashekham avatar Feb 15 '24 15:02 cisco-ashekham