DynamoDB - adding a replica leads to 'validation error detected: Invalid AWS region'

[Ulrar]

Terraform and AWS Provider Version

Terraform v1.9.8
on linux_amd64
+ provider registry.opentofu.org/hashicorp/aws v5.98.0

Affected Resource(s) or Data Source(s)

• aws_dynamodb_table

Expected Behavior

Being able to add and manage replicas

Actual Behavior

When adding a replica in a new region, the apply fails, and subsequent plan and apply fail as well. Deleting the resource and re-importing it also leads to the same error.

Deleting the replica through the console makes terraform able to manage the table again, until the replica is re-added.

Relevant Error/Panic Output

│ Error: reading Amazon DynamoDB Table (arn:aws:dynamodb:us-east-2:<account>:table/<table>): describing Continuous Backups: operation error DynamoDB: DescribeContinuousBackups, https response error StatusCode: 400, RequestID: ..., api error ValidationException: 1 validation error detected: Invalid AWS region in 'arn:aws:dynamodb:us-east-2:<account>:table/<table>'
│
│   with module.dynamodb[0].aws_dynamodb_table.this[0],
│   on .terraform/modules/dynamodb/main.tf line 1, in resource "aws_dynamodb_table" "this":
│    1: resource "aws_dynamodb_table" "this" {
│
╵

Sample Terraform Configuration

Click to expand configuration

{
    region_name                    = var.secondary_region
    kms_key_arn                    = data.aws_kms_alias.dynamodb[0].target_key_arn # ARN of a valid key in the secondary region
    point_in_time_recovery_enabled = true
  }

Steps to Reproduce

1. Create a table in one region
2. Try to add a replica in another region to it

Debug Logging

Click to expand log output

2025-05-28T17:32:11.130+0100 [DEBUG] provider.terraform-provider-aws: HTTP Response Received: http.duration=517 rpc.method=DescribeContinuousBackups tf_resource_type=aws_dynamodb_table aws.region=us-east-1 http.response.header.connection=keep-alive http.status_code=400 http.response.header.server=Server http.response.header.x_amz_crc32=3340932619 http.response.header.x_amzn_requestid=... tf_aws.signing_region="" @caller=/home/runner/go/pkg/mod/github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.64/logging/tf_logger.go:45

GenAI / LLM Assisted Development

n/a

Important Facts and References

The debug log shows the provider seems to be connecting out to the replica region (us-east-1), but describing continuous backups using the main table region (us-east-2), from what I can tell.

I wonder if this may be caused by https://github.com/hashicorp/terraform-provider-aws/blob/v5.98.0/internal/service/dynamodb/table.go#L939 which seems to be using the id as is, instead of running it through tableReplicaParseResourceID like is done in table_replica.go and before other calls ?
I may be following the code wrong, in which case disregard.

Would you like to implement a fix?

No

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.