Steps to reproduce

1. Create a custom resource type for blob storage - https://github.com/radius-project/lab/blob/main/001-customer-support-agent/radius/types/blobStorages.yaml

   rad resource-type create Radius.Storage/blobStorages --from-file radius/types/blobstorages.yaml
   

2. Create a Terraform recipe for S3

Create a Terraform module (e.g., aws/blobstorage/main.tf) that provisions an S3 bucket:

    ```hcl
    terraform {
      required_providers {
        aws = {
          source  = "hashicorp/aws"
          version = "~> 5.0"
        }
        random = {
          source  = "hashicorp/random"
          version = "~> 3.0"
        }
      }
    }
    
    variable "context" {
      description = "Radius-provided context for the recipe"
      type        = any
    }
    
    variable "region" {
      description = "AWS region"
      type        = string
      default     = "us-west-2"
    }
    
    locals {
      name = var.context.resource.name
    }
    
    resource "random_id" "suffix" {
      byte_length = 4
    }
    
    resource "aws_s3_bucket" "storage" {
      bucket = "${local.name}-${random_id.suffix.hex}"
    }
    
    output "result" {
      value = {
        values = {
          endpoint    = "https://${aws_s3_bucket.storage.bucket_regional_domain_name}"
          accountName = aws_s3_bucket.storage.bucket
        }
        resources = []
      }
      sensitive = true
    }
    ```

Push this module to a git repository (e.g., https://github.com/myorg/terraform.git//aws/blobstorage).

1. Deploy the AWS environment with the recipe registered

   resource env 'Applications.Core/environments@2023-10-01-preview' = {
     name: 'aws'
     properties: {
       compute: {
         kind: 'kubernetes'
         namespace: 'aws'
       }
       providers: {
         aws: {
           scope: '/planes/aws/aws/accounts/<YOUR_ACCOUNT_ID>/regions/us-west-2'
         }
       }
       recipes: {
         'Radius.Storage/blobStorages': {
           default: {
             templateKind: 'terraform'
             templatePath: 'git::https://github.com/myorg/terraform.git//aws/blobstorage'
             parameters: {
               region: 'us-west-2'
             }
           }
         }
       }
     }
   }

   rad deploy env.bicep --parameters awsAccountId=<YOUR_ACCOUNT_ID>

2. AWS credentials registered with Radius:
   bash rad credential register aws access-key \ --access-key-id $AWS_ACCESS_KEY_ID \ --secret-access-key $AWS_SECRET_ACCESS_KEY

3. Deploy a resource that uses the S3 recipe

   resource env 'Applications.Core/environments@2023-10-01-preview' existing = {
     name: 'aws'
   }
   
   resource blobStorage 'Radius.Storage/blobStorages@2025-08-01-preview' = {
     name: 'my-storage'
     properties: {
       environment: env.id
     }
   }

   rad deploy shared-resources.bicep --parameters environmentName=aws

4. Terraform successfully creates the S3 bucket in AWS, but Radius fails when processing the Terraform state output.

Observed behavior

After terraform apply succeeds (S3 bucket is created in AWS), Radius fails with:

resource id "/planes/aws/aws/accounts//regions/global/providers/AWS.s3/my-storage-xyz" returned by recipe is invalid

The resource ID has an empty accounts// segment because S3 bucket ARNs do not contain an account ID or region:

arn:aws:s3:::my-storage-xyz

Desired behavior

Radius should handle AWS resources whose ARNs have empty account fields (S3 buckets, and potentially other global resources), producing a valid UCP resource ID

Workaround

No response

rad Version

CLI Version Information:
RELEASE VERSION BICEP COMMIT
edge 210a9ec 0.42.1 210a9ec

Control Plane Information:
STATUS VERSION
Installed edge

Operating system

No response

Additional context

No response