-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: AWS Resource Access Manager #6527
Comments
When a subnet is shared, the participant account can see and use the subnet. However, the participant account cannot see the tags on the subnet that were created in the owner account. The subnet can be tagged in the participant account, however, with a separate set of tags only visible in the participant. This is also true for the vpc and other resources. We also need to be able to tag the shared resources, especially the vpc and the subnets, in the participant account so that other software running in the participant account can use those tags. |
This feature request is especially useful for AWS Transit Gateway. |
The first resource for managing resource shares themselves, Managing associations with resource shares will likely land in a separate resource (see also #6528 (comment)). |
The new |
Any updates on support for managing associations using AWS RAM?? @bflad
|
I submitted a pull request for a new
This error occurs for me:
It seems like a bug in the RAM service, but if someone is familiar with that scenario before I open an AWS Support case, it would be super helpful. Thanks! |
Reference: #6527 Output from acceptance testing: ``` --- PASS: TestAccAwsRamResourceAssociation_disappears (29.50s) --- PASS: TestAccAwsRamResourceAssociation_basic (31.78s) ```
I provided an initial comment when it was first opened. I would suggest commenting on that issue if you have specific questions/feedback/concerns as it is unrelated to this feature request.
We typically release every week, but Terraform 0.12 related work behind the scenes to ensure Terraform core and provider functionality works same as 0.11 has been hampering that recently. We will be cutting a release later today. |
Hi @bflad , Also, I believe terraform is still missing the ability to 'Enable sharing within your AWS Organization' inside RAM Setting. Am I wrong? |
The resource aws_ram_resource_share is available, however the keys 'principal' & 'resource_arns' are not. Any update please on when these will be available? |
A new
Instead of arguments to the
You are partially correct. Terraform does not directly support the RAM EnableSharingWithAwsOrganization API call, but I believe the two below configurations should make it possible to achieve the same: # In the master Organizations account
resource "aws_organizations_organization" "example" {
aws_service_access_principals = [
# ... potentially other principals ...
"ram.amazonaws.com",
]
feature_set = "ALL"
}
# I believe in all accounts sharing resources
resource "aws_iam_service_linked_role" "ram" {
aws_service_name = "ram.amazonaws.com"
} This should probably be documented somewhere as its likely to be a common question. 😄 |
@bflad : thanks for the reply! Regarding the API_EnableSharingWithAwsOrganization call. Maybe somebody could double-check that? I only managed to get everything working after manually clicking on the console. |
The new For additional feature requests (e.g. a resource to accept a RAM invitation) or bug reports with Resource Access Manager functionality, please open new GitHub issues. Thanks! |
The above has been released in version 1.59.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
Please can you'll share sample signature examples of aws_ram_principal_association & aws_ram_resource_association. Not seeing it on the documentation. Looking for input attributes name/type and so on. Thanks |
Never mind, I found it. Looks like they are not appearing in the search engines just yet https://www.terraform.io/docs/providers/aws/r/ram_principal_association.html |
I'm wondering how to use it. aws_ram_resource_share doesn't have an output of the ARN but those other new resources require an ARN as input. Documentation https://www.terraform.io/docs/providers/aws/r/ram_principal_association.html is wrong. Although the property name is ARN an ID is passed which cannot be applied. |
@tbugfinder I had the same question myself. Found out that ID is actually what they call the ARN |
@tbugfinder thanks, you are correct. Thanks for pointing this out. I saw the terraform plan succeed for me when passing ID. Looks like the actual apply fails |
Just happened to see this issue. I also had to manually click the "Enable sharing within your AWS Organization" in the console - is there no Terraform resource or property to be able to toggle that? |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Description
Use AWS Resource Access Manager to share AWS resources between AWS accounts. To share a resource, you create a resource share, associate the resource with the resource share, and specify the principals that can access the resource
New or Affected Resource(s)
aws_ram_resource_share
Potential Terraform Configuration
References
The text was updated successfully, but these errors were encountered: