resource level region configuration

[AFriemann]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I am fairly certain that this has been discussed before, but I can not find any current issues or discussions. What I do find are several issues that are effectively caused by this behaviour or the general confusion that stems from it. To name a few that I found within ~10 minutes of searching:

#1656
#8853
#11052
#7442
#7178

I strongly believe that the decision to lock the region on the provider needs to be revisited. It is the reason for some of the most atrocious hacks in our configs (and I am sure others can say the same) and continues to cause issues whenever setting up anything cross region (e.g. S3 bucket replication, organization wide GuardDuty/Config setup).

Are there any plans on dropping the region requirement on the provider and simply having it as a resource parameter?

Also please let me know if this is a duplicate, I spent some time searching but couldn't find anything relevant.

[Spritekin]

Hi,

Just wanted to leave a case to support this request.

I have a module that initialises some application resources in one AWS account. I pass a provider to the module with the provider tied to a region (i.e. us-east-1) so all the resources in the module are initialised by the provider in that region. As the provider is tied to a region all resources are created in the region that's all good.

module "application_us_west_1" {
  source = "application-module"
  provider = aws.us_west_1_production
}

All good but this is thinking very small scale. If I would like to create the same resources in other region I need to create another module and pass another provider. As my architecture grows and I need to setup in multiple regions and accounts, I need to create more and more copies of the same application module request and for each one passing a different provider with a different region.

module "application_us_west_1" {
  source = "application-module"
  provider = aws.us_west_1_production
}

module "application_us_east_1" {
  source = "application-module"
  provider = aws.us_east_1_production
}


module "application_us_east_2" {
  source = "application-module"
  provider = aws.us_east_2_production
}

So it really starts getting very messy. I can't iterate the module creation because each one needs a different provider and we can't create a provider dynamically.

Now, lets say I would like to setup an US account where I would like to setup the same resources in regions us-east-1, us-east-2 and us-west-1. Then setup an Asia Pacific account but just in ap-southeast-1 and ap-southeast-2. Then I start getting a huge problem which really becomes worse as I start adding cross region logging, networking or other stuff as mentioned by the OP.

What I really would like to do something like

--------------------------------
provider "aws" {
  alias      = "us-production"
  assume_role {
    role_arn = "arn:aws:iam::12345678910:role/admin"
  }
}

module "us" {
  source = "account-module"
  regions = ["us-east-1", "us-east-2", "us-west-1"]
  provider = aws.us-production
}

--------------------------------
provider "aws" {
  alias      = "ap-production"
  assume_role {
    role_arn = "arn:aws:iam::34512342245:role/admin"
  }
}

module "us" {
  source = "account-module"
  regions = ["ap-southeast-1", "ap-southeast-2"]
  provider = aws.ap-production
}
--------------------------------

So inside the modules I can iterate the regions and use the providers to create my resources:

module "application" {
  for_each = to_set(regions)
  source = "application-module"
  region = each.key
}

And inside the module I can create resources by pasing the region like:

resource s3_bucket my_bucket {
  name = "my_bucket_${var.region}"
  region = var.region
}

This would be a very clean setup without messy provider dependencies which is probably one of the problems with terraform right now.

[sblask]

Also see #27758 and my comment there.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[tmccombs]

Not stale.

[ewbankkit]

Please see #27758 (comment) for the proposed solution to this issue.