[Enhancement]: Allow cross-account attachment references in aws_globalaccelerator_endpoint_group endpoint configuration

[auvik-bheesham]

Description

Currently it's not possible to reference a cross-account attachment with AWS Global Accelerator.

Right now, if you were to reference an ALB (for example) which has a cross-account attachment you run into:

2024-05-21T19:35:55.199-0400 [DEBUG] provider.terraform-provider-aws_v5.50.0_x5: HTTP Request Sent: tf_resource_type=aws_globalaccelerator_endpoint_group http.method=POST tf_provider_addr=registry.terraform.io/hashicorp/aws tf_aws.sdk=aws-sdk-go-v2 tf_rpc=ApplyResourceChange http.request.header.content_type=application/x-amz-json-1.1 http.request.header.x_amz_date=20240521T233555Z rpc.system=aws-api tf_req_id=3f2a0b3b-7516-7e60-1fac-2ed781a7b1bb @caller=github.com/hashicorp/aws-sdk-go-base/[email protected]/logging/tf_logger.go:45
  http.request.body=
  | {"EndpointConfigurations":[{"ClientIPPreservationEnabled":true,"EndpointId":"arn:aws:elasticloadbalancing:us-east-1:REMOTE:loadbalancer/app/.../...","Weight":127}],"EndpointGroupArn":"arn:aws:globalaccelerator::LOCAL:accelerator/.../listener/.../endpoint-group/...","HealthCheckIntervalSeconds":30,"HealthCheckPath":"/","HealthCheckPort":443,"HealthCheckProtocol":"HTTPS","PortOverrides":[],"ThresholdCount":3,"TrafficDialPercentage":100}
   rpc.method=UpdateEndpointGroup http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.8.3 (+https://www.terraform.io) terraform-provider-aws/5.50.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.26.2 os/macos lang/go#1.22.2 md/GOOS#darwin md/GOARCH#arm64 api/globalaccelerator#1.23.3" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************.../20240521/us-west-2/globalaccelerator/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=*****" http.request.header.x_amz_target=GlobalAccelerator_V20180706.UpdateEndpointGroup http.request.header.amz_sdk_request="attempt=1; max=25" rpc.service="Global Accelerator" http.request.header.amz_sdk_invocation_id=7dff402a-928c-4517-a211-4d0412e384c6 aws.region=us-west-2 http.request.header.x_amz_security_token="*****" http.url=https://globalaccelerator.us-west-2.amazonaws.com/ net.peer.name=globalaccelerator.us-west-2.amazonaws.com tf_aws.signing_region="" @module=aws http.request_content_length=539 tf_mux_provider="*schema.GRPCProviderServer" timestamp=2024-05-21T19:35:55.199-0400
2024-05-21T19:35:55.831-0400 [DEBUG] provider.terraform-provider-aws_v5.50.0_x5: HTTP Response Received:
  http.response.body=
  | {"__type":"InvalidArgumentException","Message":"The cross-account attachment ARN is null or empty for the following cross-account endpoint: arn:aws:elasticloadbalancing:us-east-1:REMOTE:loadbalancer/app/.../..."}

Potentially the cause: AttachmentArn is missing from the AWS API call. Repeating here for convenience:

http.request.body=
  | {"EndpointConfigurations":[{"ClientIPPreservationEnabled":true,"EndpointId":"arn:aws:elasticloadbalancing:us-east-1:REMOTE:loadbalancer/app/.../...","Weight":127}],"EndpointGroupArn":"arn:aws:globalaccelerator::LOCAL:accelerator/.../listener/.../endpoint-group/...","HealthCheckIntervalSeconds":30,"HealthCheckPath":"/","HealthCheckPort":443,"HealthCheckProtocol":"HTTPS","PortOverrides":[],"ThresholdCount":3,"TrafficDialPercentage":100}

(AWS SDK docs for type EndpointConfiguration).

Trying to use this as-is results in the following error:

aws_globalaccelerator_endpoint_group.example: Modifying... [id=arn:aws:globalaccelerator::LOCAL:accelerator/.../listener/.../endpoint-group/...]
╷
│ Error: updating Global Accelerator Endpoint Group (arn:aws:globalaccelerator::LOCAL:accelerator/.../listener/.../endpoint-group/...): operation error Global Accelerator: UpdateEndpointGroup, https response error StatusCode: 400, RequestID: e1990b12-1e36-40f5-b6b4-a9f5e684aa2e, InvalidArgumentException: The cross-account attachment ARN is null or empty for the following cross-account endpoint: arn:aws:elasticloadbalancing:us-east-1:REMOTE:loadbalancer/app/.../...
│ 
│   with aws_globalaccelerator_endpoint_group.example,
│   on accelerator.tf line 34, in resource "aws_globalaccelerator_endpoint_group" "example":
│   34: resource "aws_globalaccelerator_endpoint_group" "example" {

Affected Resource(s) and/or Data Source(s)

• aws_globalaccelerator_endpoint_group

Potential Terraform Configuration

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.50.0"
    }
  }
}

resource "aws_globalaccelerator_endpoint_group" "example" {
  provider              = aws.local
  listener_arn          = aws_globalaccelerator_listener.example.id
  health_check_protocol = "HTTPS"
  endpoint_configuration {
    client_ip_preservation_enabled = true
    endpoint_id                    = module.remote.alb.arn # Output: data.aws_lb.alb
    weight                         = 127
  }
}

References

• AWS SDK docs for type EndpointConfiguration
• Docs for globalaccelerator_endpoint_group.endpoint_configuration

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[pancake62]

I've been struggling with this for a couple months using aws_ccc variant.

[auvik-bheesham]

Yeah, I've noticed awscc has some weirdness with these resources, in particular:

• tags are reordered on awscc_globalaccelerator_accelerator, causing perpetual changes (though maybe I'm doing something wrong)
• something similar with awscc_globalaccelerator_endpoint_group's
  • health_check_path
  • port_overrides
  • endpoint_configurations.[].attachment_arn

But anyways, I just noticed some related tickets/MRs:

• Global Accelerator cross-account endpoints #34254
• feat: add field for cross account support in endpoint groups for AGA #37269

[tcarreira]

I saw this one yesterday, and since it passed some months without any moving, I took the liberty to continue the feature. Created a new PR #39507

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.70.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!