Terraform-provider-aws: error associating RAM Resource Share

I see the same error when I pass Account ID / Org ID / OU-ID as a principal.

resource "aws_ram_resource_share" "txgw_ram_resource_share" {`
  name                      = "${var.txgw_description}"`
  allow_external_principals = true
  tags {
    Team_ID    = "XXXXXX"
    Service_ID = "XXXXXX"
  }
}
resource "aws_ram_resource_association" "txgw_ram_resource_association" {
  resource_arn       = "${var.txgw_resource_arn}"
  resource_share_arn = "${aws_ram_resource_share.txgw_ram_resource_share.id}"
}
resource "aws_ram_principal_association" "txgw_ram_principal_association" {
  principal          = "${var.aws_org_ou_id}"
  resource_share_arn = "${aws_ram_resource_share.txgw_ram_resource_share.id}"
}
output "txgw_ram_resource_share_id" {
  value = "${aws_ram_resource_share.txgw_ram_resource_share.id}"
}

module.txgw_resource_share.aws_ram_principal_association.txgw_ram_principal_association: 1 error(s) occurred:

aws_ram_principal_association.txgw_ram_principal_association: Error associating principal with RAM resource share: InvalidParameterException: Principal ID XXXXXXXXXX is malformed. Verify the ID and try again.
status code: 400, request id: XXXXX

Actually I'm also confused why we pass an ID when the name is ARN.
resource_share_arn = "${aws_ram_resource_share.txgw_ram_resource_share.id}"

I tried to pass ARN in place of ID and it errored out:

Error:

Error: Error running plan: 2 error(s) occurred:

• module.txgw_resource_share.aws_ram_principal_association.txgw_ram_principal_association: 1 error(s) occurred:

module.txgw_resource_share.aws_ram_principal_association.txgw_ram_principal_association: Resource 'aws_ram_resource_share.txgw_ram_resource_share' does not have attribute 'arn' for variable 'aws_ram_resource_share.txgw_ram_resource_share.arn'

• module.txgw_resource_share.aws_ram_resource_association.txgw_ram_resource_association: 1 error(s) occurred:

module.txgw_resource_share.aws_ram_resource_association.txgw_ram_resource_association: Resource 'aws_ram_resource_share.txgw_ram_resource_share' does not have attribute 'arn' for variable 'aws_ram_resource_share.txgw_ram_resource_share.arn'



exactly.

I submitted adding an arn attribute here: #7634

That match expression should be extended to allow o-/ou- strings:
https://github.com/terraform-providers/terraform-provider-aws/blob/c7d129e27f601973b00e1f17bc70c1782d56c2c9/aws/resource_aws_ram_principal_association.go#L65

@tbugfinder I was able to get past the "malformed principal" issue by providing the ARN of Org/OU instead of ID. i.e. arn:aws:organizations::XXXXXXX:ou/o-XXXX/ou-XXXX inplace of (o-xxxxxxx/ou-xxxxxxx) and it worked.

I'd recommend trying it out on your end if that is the case with you as well.

@anupkandpile I confirm that string is valid! Thank you very much.

Although I think that the console also accept short strings of the ARN.

Pull request submitted to update the documentation to use ARNs instead of IDs as well as add validation for the argument (account ID or ARN): #8048

The API Reference gives no guidance on the parameter, but the web console may be looking up the ID and expanding it to the full ARN before creating the request. We typically do not support those type of cross-service API calls in resources as they can be problematic and introduce complexity we (in both the code maintainer and practitioner sense) would like to avoid.

FYI, the regex noted in the comment above (https://github.com/terraform-providers/terraform-provider-aws/issues/7632#issuecomment-466805194) is only used after successful association creation and is used to bypass waiting for the pending association to complete in the case you specify an external account ID as the principal. Otherwise, it would never be possible for us to create a separate association "accepter" resource. For full context:

https://github.com/terraform-providers/terraform-provider-aws/blob/b4d6106a4e17f428c137c3cf9ccc3abc229c1f00/aws/resource_aws_ram_principal_association.go#L44-L74

The documentation and validation updates have been merged and will release with version 2.4.0 of the Terraform AWS Provider, likely in the next two days. 👍

This has been released in version 2.4.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

Hello
I have a question regarding this topic.
I don't have OU in my Organisation.
I try to provide the ARN of my Organization without OU and it's doesn't work (Terraform provider =2.4.0)
arn:aws:organizations::XXXXXXXXXXXX:ou/o-XXXXXXXXXX
and also
arn:aws:organizations::XXXXXXXXXXXX:ou/o-XXXXXXXXXX/r-XXXX
Did the aws_ram_principal_association ressources can work without OU?
Regards,

Hi @Math1er 👋 Your Organization ARN should be of the form:

arn:aws:organizations::XXXXXXXXXXXX:organization/o-XXXXXXXX

I grabbed the above in my environment using the AWS CLI: aws organizations describe-organization

If it still doesn't work, try enabling "Enable account sharing within your AWS organization" on the root account, in the settings of the RAM service.

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!