Add ARN attribute to aws_ebs_volume resource

[joshuaspence]

I ahve a Lambda function that takes snapshots of an EBS volume and then adds tags to those snapshots. I am trying to restrict the IAM permissions that are required by the Lambda function such that it can only add tags to snapshots that belong to a set of known EBS volumes. I am doing this using the ec2:ParentVolume condition key, which expects a list of EBS volume ARNs. The following code, however, does not work because aws_ebs_volume does not provide an arn output:

  statement {
    actions   = ["ec2:CreateTags"]
    resources = ["arn:aws:ec2:${var.aws_primary_region}::snapshot/*"]

    condition {
      test     = "ArnEquals"
      variable = "ec2:ParentVolume"
      values   = ["${aws_ebs_volume.mongodb_server.*.arn)}"]
    }

I can workaround this for now by constructing the ARN manually:

  statement {
    actions   = ["ec2:CreateTags"]
    resources = ["arn:aws:ec2:${var.aws_primary_region}::snapshot/*"]

    condition {
      test     = "ArnEquals"
      variable = "ec2:ParentVolume"
      values   = ["${formatlist("arn:aws:ec2:${var.aws_primary_region}:${data.aws_caller_identity.primary.account_id}:volume/%s", aws_ebs_volume.mongodb_server.*.id)}"]
    }

[bflad]

Unfortunately, this is not as simple as just adding a arn field sourced from the AWS API output: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Volume.html

We can manually build it using the provider connection metadata though, which is done for some other resources. I'll create a PR shortly and link it here.

[bflad]

Submitted PR that adds arn attribute to both the resource and data source: #2271

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!