Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: aws_servicecatalog_portfolio_share does not support sharing to GovCloud organization #39861

Open
atheiman opened this issue Oct 23, 2024 · 1 comment
Open

[Bug]: aws_servicecatalog_portfolio_share does not support sharing to GovCloud organization #39861

atheiman opened this issue Oct 23, 2024 · 1 comment
Labels
bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. service/organizations Issues and PRs that pertain to the organizations service. service/servicecatalog Issues and PRs that pertain to the servicecatalog service.

Comments

@atheiman
Copy link
Contributor

atheiman commented Oct 23, 2024
edited
Loading

Terraform Core Version

latest

AWS Provider Version

v5.72.1

Affected Resource(s)

aws_servicecatalog_portfolio_share

Expected Behavior

Use aws_servicecatalog_portfolio_share to share a servicecatalog portfolio to a GovCloud organization (partition is aws-us-gov rather than aws) using either the organization arn or organization id.

# MUST BE RUN FROM A GOVCLOUD ORGANIZATION MANAGEMENT ACCOUNT TO REPRODUCE

resource "aws_servicecatalog_organizations_access" "svc_ctlg_orgs_access" {
  enabled = "true"
}

data "aws_organizations_organization" "current" {}

resource "aws_servicecatalog_portfolio" "portfolio" {
  name          = "Example Portfolio"
  description   = "Demo portfolio for service catalog products"
  provider_name = "Example Organization"
}

The above should be combined with one of the below options to be able to share to a govcloud organization by id or arn using the servicecatalog.CreatePortfolioShare api

# Option 1 - share to org by id
resource "aws_servicecatalog_portfolio_share" "org_id" {
  portfolio_id = aws_servicecatalog_portfolio.portfolio.id
  principal_id = data.aws_organizations_organization.current.id
  type         = "ORGANIZATION"
}

# Option 2 - share to org by arn
resource "aws_servicecatalog_portfolio_share" "org_arn" {
  portfolio_id = aws_servicecatalog_portfolio.portfolio.id
  principal_id = data.aws_organizations_organization.current.arn
  type         = "ORGANIZATION"
}

Actual Behavior

Option 1 (share by id) Fails

Sharing to govcloud organization by id gets blocked by the Terraform validation regex:

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: "principal_id" (o-52g4c5mxce) is an invalid ARN: arn: invalid prefix
│
│   with aws_servicecatalog_portfolio_share.org_id,
│   on portfolio.tf line 20, in resource "aws_servicecatalog_portfolio_share" "org_id":
│   20:   principal_id = data.aws_organizations_organization.current.id
│
╵
╷
│ Error: "principal_id" does not look like an OU or organization: "o-52g4c5mxce"
│
│   with aws_servicecatalog_portfolio_share.org_id,
│   on portfolio.tf line 20, in resource "aws_servicecatalog_portfolio_share" "org_id":
│   20:   principal_id = data.aws_organizations_organization.current.id
│
╵
╷
│ Error: "principal_id" doesn't look like AWS Account ID (exactly 12 digits): "o-52g4c5mxce"
│
│   with aws_servicecatalog_portfolio_share.org_id,
│   on portfolio.tf line 20, in resource "aws_servicecatalog_portfolio_share" "org_id":
│   20:   principal_id = data.aws_organizations_organization.current.id
│

Even though sharing to organization id works directly with the servicecatalog api:

aws servicecatalog create-portfolio-share \
  --portfolio-id 'port-aaaaaaaaaaaa' \
  --organization-node 'Type=ORGANIZATION,Value=o-aaaaaaaaaa'

Option 2 (share by arn) Fails

Sharing to govcloud organization by arn gets past the Terraform validation regex, but gets blocked by ServiceCatalog validation regex:

│ Error: creating Service Catalog Portfolio Share: operation error Service Catalog: CreatePortfolioShare, https response error
StatusCode: 400, RequestID: b4c17130-10cf-48d8-8730-178e09ed4354, api error ValidationException: 1 validation error
detected: Value 'arn:aws-us-gov:organizations::111111111111:organization/o-aaaaaaaaaa' at 'organizationNode.value' failed to
satisfy constraint: Member must satisfy regular expression pattern: (^[0-9]{12}$)|
(^arn:aws:organizations::\d{12}:organization\/o-[a-z0-9]{10,32})|(^o-[a-z0-9]{10,32}$)|(^arn:aws:organizations::\d{12}:ou\/o-
[a-z0-9]{10,32}\/ou-[0-9a-z]{4,32}-[0-9a-z]{8,32}$)|(^ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}$)

More Info

servicecatalog.CreatePortfolioShare api accepts OrganizationNode.Value matching this regular expression: (^[0-9]{12}$)|(^arn:aws:organizations::\d{12}:organization\/o-[a-z0-9]{10,32})|(^o-[a-z0-9]{10,32}$)|(^arn:aws:organizations::\d{12}:ou\/o-[a-z0-9]{10,32}\/ou-[0-9a-z]{4,32}-[0-9a-z]{8,32}$)|(^ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}$) which allows any of the following:

  • account id ^[0-9]{12}$
  • org arn ^arn:aws:organizations::\d{12}:organization\/o-[a-z0-9]{10,32}
  • org id ^o-[a-z0-9]{10,32}$
  • org unit arn ^arn:aws:organizations::\d{12}:ou\/o-[a-z0-9]{10,32}\/ou-[0-9a-z]{4,32}-[0-9a-z]{8,32}$
  • org unit id ^ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}$

However, the aws_servicecatalog_portfolio_share terraform resource only allows ARNs for orgs and org units:

Unfortunately, the combination of Terraform aws_servicecatalog_portfolio_share requiring an arn, and servicecatalog.CreatePortfolioShare api only supporting aws partition in its validation, means aws_servicecatalog_portfolio_share cannot share with orgs or org units outside the aws partition (aws-us-gov for example)

ServiceCatalog api accepting only arn:aws: arns is a bug of course can't be fixed by the Terraform provider 😦 . But if the Terraform resource accepted org and org unit ids (rather than only ARNs), sharing would be possible with Terraform in GovCloud

Steps to Reproduce

From govcloud mgmt account: terraform plan / terraform apply
@atheiman atheiman added the bug Addresses a defect in current functionality. label Oct 23, 2024
@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/organizations Issues and PRs that pertain to the organizations service. service/servicecatalog Issues and PRs that pertain to the servicecatalog service. needs-triage Waiting for first response or review from a maintainer. labels Oct 23, 2024
atheiman added a commit to atheiman/terraform-provider-aws that referenced this issue Oct 23, 2024
@atheiman
Update OU and Org regex to handle ARN or ID
11bfc55 
hashicorp#39861
@atheiman atheiman mentioned this issue Oct 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. service/organizations Issues and PRs that pertain to the organizations service. service/servicecatalog Issues and PRs that pertain to the servicecatalog service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@atheiman