aws_glue_registry_provider import requires account ID when region is required #45568
Description
Documentation Link(s)
Description
The documentation for aws_glue_resource_policy indicates that the import process should use the AWS account ID in the id field of an import. This results in errors, because the id field value is being used by the provider to build out the AWS endpoint that it uses to perform a GetResourcePolicy call:
import {
to = aws_glue_resource_policy.mypolicy
id = "1234567890"
}
Error: reading Glue Resource Policy (1234567890): operation error Glue: GetResourcePolicy, https response error StatusCode: 0, RequestID: , request send failed, Post "https://glue.1234567890.amazonaws.com/": dial tcp: lookup glue.1234567890.amazonaws.com on 10.10.10.10:53: no such host
Where 1234567890 is the AWS account ID and 10.10.10.10:53 is the dns server for the TFE executer.
The referenced endpoint seems to be an attempt to build the AWS endpoint for Glue, but is using the account ID instead of the region.
When the region is used in the import block, the import succeeds.
import {
to = aws_glue_resource_policy.mypolicy
id = "us-east-1"
}
Technically, the provider knows (or can know) both the region it operates in and the account ID, so the requirement for the GetResourcePolicy call, to build a resource ARN for the parameter, and to know what API endpoint to request this from, could be done without an ID at all, but either way, using the account ID doesn't work, and using the region does work, making it likely that the intended value for the provider is actually the region.
References
https://docs.aws.amazon.com/glue/latest/webapi/API_GetResourcePolicy.html
https://docs.aws.amazon.com/general/latest/gr/glue.html
Would you like to implement a fix?
No