Fix Terraform recipe failure for AWS resources with empty account in ARN

[Copilot]

Description

S3 bucket ARNs use the format arn:aws:s3:::bucket-name where both region and account fields are empty. When a Terraform recipe provisions an S3 bucket, ToUCPResourceID produces an invalid UCP resource ID (empty account segment), and the driver treats this as a fatal error—failing the entire recipe deployment.

Changes:

• pkg/ucp/resources/aws/aws.go: Validate account field in ToUCPResourceID; return explicit error for empty account instead of producing a malformed UCP ID.
• pkg/recipes/driver/terraform/terraform.go: Handle ToUCPResourceID errors gracefully—log and skip unconvertible ARNs (consistent with how Azure non-ARM resources are handled) rather than failing the recipe.
• Tests: Added S3 bucket ARN test case; updated terraform driver test to expect graceful skip behavior.

// S3 ARN: arn:aws:s3:::my-bucket — empty account, empty region
// Previously: produced invalid "/planes/aws/aws/accounts//regions/global/..." then failed
// Now: logged and skipped; recipe succeeds without tracking this resource in output

Type of change

• This pull request fixes a bug in Radius and has an approved issue (issue link required).

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

• An overview of proposed schema changes is included in a linked GitHub issue.
  • Not applicable
• A design document is added or updated under eng/design-notes/ in this repository, if new APIs are being introduced.
  • Not applicable
• The design document has been reviewed and approved by Radius maintainers/approvers.
  • Not applicable
• A PR for resource-types-contrib is created, if resource types or recipes are affected by the changes in this PR.
  • Not applicable
• A PR for dashboard is created, if the Radius Dashboard is affected by the changes in this PR.
  • Not applicable
• A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
  • Not applicable

[Reshrahim]

@nithyatsu and @sylvainsf - This is an issue with S3 buckets deployment via terraform Recipe where arn comes back with an empty account and UCP rejects the id. Copilot has made a fix to gracefully skip such id's which I am not sure is the right fix.

This is similar to #9946 where UCP id is fixed to include global as the region for AWS resources like IAM.

[github-actions]

This PR requires exactly 1 of the following labels: pr:standard, pr:important.
Currently applied labels: .

Label descriptions:

• pr:important - Major features, breaking changes, deprecations, or other high-impact changes that need special attention during release.
• pr:standard - Ongoing maintenance, minor improvements, documentation updates, and routine development work.

@Copilot, please add the appropriate label to this PR before merging.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	c39bf01
Unique ID	func1eea743e5d
Image tag	pr-func1eea743e5d

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func1eea743e5d
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func1eea743e5d
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func1eea743e5d
• controller test image location: ghcr.io/radius-project/dev/controller:pr-func1eea743e5d
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func1eea743e5d
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
⌛ Starting ucp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

[Copilot]

Pull request overview

This pull request fixes Terraform recipe deployments failing when AWS resources produce ARNs with an empty account segment (notably S3 bucket ARNs like arn:aws:s3:::bucket-name). Instead of generating malformed UCP IDs and treating the conversion failure as fatal, the driver now skips unconvertible AWS ARNs (while logging) so the overall recipe deployment can succeed.

Changes:

• Add explicit validation in aws.ToUCPResourceID to error on ARNs with an empty account segment.
• Update the Terraform recipe driver to log-and-skip AWS ARNs that can’t be converted to UCP resource IDs (rather than failing the deployment).
• Add/update tests covering empty-account S3 ARNs and the new “gracefully skipped” driver behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
pkg/ucp/resources/aws/aws.go	Reject ARNs with empty account field to avoid generating malformed UCP resource IDs.
pkg/ucp/resources/aws/aws_test.go	Add a test case for S3 bucket ARNs with empty account.
pkg/recipes/driver/terraform/terraform.go	Log and skip AWS ARN→UCP ID conversion failures instead of returning an error.
pkg/recipes/driver/terraform/terraform_test.go	Update expectations to ensure invalid/unconvertible AWS ARNs are skipped without failing the recipe output.

[github-actions]

Unit Tests

    2 files  ±0    420 suites  ±0   6m 50s ⏱️ +7s
5 024 tests +2  5 022 ✅ +2  2 💤 ±0  0 ❌ ±0 
6 051 runs  +2  6 049 ✅ +2  2 💤 ±0  0 ❌ ±0 

Results for commit c39bf01. ± Comparison against base commit 073b796.

This pull request removes 1 and adds 3 tests. Note that renamed tests count towards both.

github.com/radius-project/radius/pkg/recipes/driver/terraform ‑ Test_Terraform_PrepareRecipeResponse/invalid_AWS_ARN

github.com/radius-project/radius/pkg/recipes/driver/terraform ‑ Test_Terraform_PrepareRecipeResponse/AWS_ARN_with_empty_account_(S3_bucket)_-_gracefully_skipped
github.com/radius-project/radius/pkg/recipes/driver/terraform ‑ Test_Terraform_PrepareRecipeResponse/invalid_AWS_ARN_-_gracefully_skipped
github.com/radius-project/radius/pkg/ucp/resources/aws ‑ Test_ToUCPResourceID/s3_bucket_arn_with_empty_account

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 51.21%. Comparing base (073b796) to head (c39bf01).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11839      +/-   ##
==========================================
+ Coverage   51.20%   51.21%   +0.01%     
==========================================
  Files         715      715              
  Lines       45074    45077       +3     
==========================================
+ Hits        23079    23086       +7     
+ Misses      19798    19796       -2     
+ Partials     2197     2195       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.