[Bug]: aws_servicecatalog_portfolio_share does not support sharing to GovCloud organization #39861
Labels
bug
Addresses a defect in current functionality.
needs-triage
Waiting for first response or review from a maintainer.
service/organizations
Issues and PRs that pertain to the organizations service.
service/servicecatalog
Issues and PRs that pertain to the servicecatalog service.
Terraform Core Version
latest
AWS Provider Version
v5.72.1
Affected Resource(s)
aws_servicecatalog_portfolio_share
Expected Behavior
Use
aws_servicecatalog_portfolio_share
to share a servicecatalog portfolio to a GovCloud organization (partition isaws-us-gov
rather thanaws
) using either the organization arn or organization id.The above should be combined with one of the below options to be able to share to a govcloud organization by id or arn using the
servicecatalog.CreatePortfolioShare
apiActual Behavior
Option 1 (share by id) Fails
Sharing to govcloud organization by id gets blocked by the Terraform validation regex:
Even though sharing to organization id works directly with the servicecatalog api:
Option 2 (share by arn) Fails
Sharing to govcloud organization by arn gets past the Terraform validation regex, but gets blocked by ServiceCatalog validation regex:
More Info
servicecatalog.CreatePortfolioShare
api acceptsOrganizationNode.Value
matching this regular expression:(^[0-9]{12}$)|(^arn:aws:organizations::\d{12}:organization\/o-[a-z0-9]{10,32})|(^o-[a-z0-9]{10,32}$)|(^arn:aws:organizations::\d{12}:ou\/o-[a-z0-9]{10,32}\/ou-[0-9a-z]{4,32}-[0-9a-z]{8,32}$)|(^ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}$)
which allows any of the following:^[0-9]{12}$
^arn:aws:organizations::\d{12}:organization\/o-[a-z0-9]{10,32}
^o-[a-z0-9]{10,32}$
^arn:aws:organizations::\d{12}:ou\/o-[a-z0-9]{10,32}\/ou-[0-9a-z]{4,32}-[0-9a-z]{8,32}$
^ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}$
However, the
aws_servicecatalog_portfolio_share
terraform resource only allows ARNs for orgs and org units:Unfortunately, the combination of Terraform
aws_servicecatalog_portfolio_share
requiring an arn, andservicecatalog.CreatePortfolioShare
api only supportingaws
partition in its validation, meansaws_servicecatalog_portfolio_share
cannot share with orgs or org units outside theaws
partition (aws-us-gov
for example)ServiceCatalog api accepting only
arn:aws:
arns is a bug of course can't be fixed by the Terraform provider 😦 . But if the Terraform resource accepted org and org unit ids (rather than only ARNs), sharing would be possible with Terraform in GovCloudSteps to Reproduce
From govcloud mgmt account: terraform plan / terraform apply
The text was updated successfully, but these errors were encountered: