Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: AWS Resource Access Manager #6527

Closed
gazoakley opened this issue Nov 20, 2018 · 21 comments · Fixed by #7219 or #7563
Closed

Feature Request: AWS Resource Access Manager #6527

gazoakley opened this issue Nov 20, 2018 · 21 comments · Fixed by #7219 or #7563
Labels
new-resource Introduces a new resource. service/ram Issues and PRs that pertain to the ram service.
Milestone

Comments

@gazoakley
Copy link
Contributor

gazoakley commented Nov 20, 2018

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Use AWS Resource Access Manager to share AWS resources between AWS accounts. To share a resource, you create a resource share, associate the resource with the resource share, and specify the principals that can access the resource

New or Affected Resource(s)

  • aws_ram_resource_share

Potential Terraform Configuration

resource "aws_ram_resource_share" "example" {
  name                      = "example"
  allow_external_principals = true

  resource_arns = [
    "..."
  ]

  principals = [
    "..."
  ]

  tags {
    Environment = "Production"
  }
}

References

@bflad bflad added new-resource Introduces a new resource. service/ram Issues and PRs that pertain to the ram service. labels Nov 21, 2018
@dlaidlaw
Copy link

When a subnet is shared, the participant account can see and use the subnet. However, the participant account cannot see the tags on the subnet that were created in the owner account. The subnet can be tagged in the participant account, however, with a separate set of tags only visible in the participant. This is also true for the vpc and other resources.

We also need to be able to tag the shared resources, especially the vpc and the subnets, in the participant account so that other software running in the participant account can use those tags.

@piersf
Copy link

piersf commented Jan 14, 2019

This feature request is especially useful for AWS Transit Gateway.

@bflad
Copy link
Contributor

bflad commented Jan 15, 2019

The first resource for managing resource shares themselves, aws_ram_resource_share, has been merged and will release with version 1.56.0 of the Terraform AWS provider, likely in the next day or two.

Managing associations with resource shares will likely land in a separate resource (see also #6528 (comment)).

@bflad
Copy link
Contributor

bflad commented Jan 16, 2019

The new aws_ram_resource_share resource has been released in version 1.56.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@dbektas
Copy link

dbektas commented Jan 21, 2019

Any updates on support for managing associations using AWS RAM?? @bflad

#6528

resource "aws_ram_principal_association" "example" {
  resource_share_arn = "${aws_ram_resource_share.example.arn}"
  principal = "123456789012"
  # external - calculated field that is only applicable to principals associated to a resource share
}

@bflad
Copy link
Contributor

bflad commented Feb 5, 2019

I submitted a pull request for a new aws_ram_resource_association resource (#7449), but I'm receiving an error I cannot get past in the acceptance testing when calling AssociateResourceShare:

{"__type":"InvalidParameterException","message":"Your account ID does not exist in an AWS organization."}

This error occurs for me:

  • Whether the AWS account is within an AWS Organizations Organization or a completely standalone AWS account
  • With the Resource Access Manager IAM Service Linked Role (ram.amazonaws.com/AWSServiceRoleForResourceAccessManager ) already existing in the accounts
  • Also in the RAM web console, but only when associating the resource after creating the RAM Resource Share. Creating the RAM Resource Share and specifying the resource association during creation works.

It seems like a bug in the RAM service, but if someone is familiar with that scenario before I open an AWS Support case, it would be super helpful. Thanks!

bflad added a commit that referenced this issue Feb 6, 2019
Reference: #6527

Output from acceptance testing:

```
--- PASS: TestAccAwsRamResourceAssociation_disappears (29.50s)
--- PASS: TestAccAwsRamResourceAssociation_basic (31.78s)
```
@dbektas
Copy link

dbektas commented Feb 7, 2019

Hi @bflad, thanks for the commit.

Could you take a look at the #6884 Issue?
This is critical for many business at the moment.
When can we expect the next version release?

Thank you

@bflad
Copy link
Contributor

bflad commented Feb 7, 2019

Could you take a look at the #6884 Issue?

I provided an initial comment when it was first opened. I would suggest commenting on that issue if you have specific questions/feedback/concerns as it is unrelated to this feature request.

When can we expect the next version release?

We typically release every week, but Terraform 0.12 related work behind the scenes to ensure Terraform core and provider functionality works same as 0.11 has been hampering that recently. We will be cutting a release later today.

@ghost
Copy link

ghost commented Feb 12, 2019

Hi @bflad ,
my I kindly ask what the status of this issue is?

Also, I believe terraform is still missing the ability to 'Enable sharing within your AWS Organization' inside RAM Setting. Am I wrong?

@alokcheerful
Copy link

The resource aws_ram_resource_share is available, however the keys 'principal' & 'resource_arns' are not. Any update please on when these will be available?

@bflad
Copy link
Contributor

bflad commented Feb 13, 2019

my I kindly ask what the status of this issue is?

A new aws_ram_resource_association resource has been merged and will release with version 1.59.0 of the Terraform AWS Provider, likely in the next day or two. The work-in-progress open pull request for a new aws_ram_principal_association resource (#7219) is awaiting response. If we don't hear back today, we will submit changes on top of the existing work and try to also get that released in version 1.59.0.

The resource aws_ram_resource_share is available, however the keys 'principal' & 'resource_arns' are not. Any update please on when these will be available?

Instead of arguments to the aws_ram_resource_share resource, these will be separate aws_ram_resource_association and aws_ram_principal_association resources to allow for additional Terraform configuration use cases. See above item for status on these.

Also, I believe terraform is still missing the ability to 'Enable sharing within your AWS Organization' inside RAM Setting. Am I wrong?

You are partially correct. Terraform does not directly support the RAM EnableSharingWithAwsOrganization API call, but I believe the two below configurations should make it possible to achieve the same:

# In the master Organizations account
resource "aws_organizations_organization" "example" {
  aws_service_access_principals = [
    # ... potentially other principals ...
    "ram.amazonaws.com",
  ]

  feature_set = "ALL"
}

# I believe in all accounts sharing resources
resource "aws_iam_service_linked_role" "ram" {
  aws_service_name = "ram.amazonaws.com"
}

This should probably be documented somewhere as its likely to be a common question. 😄

@ghost
Copy link

ghost commented Feb 13, 2019

@bflad : thanks for the reply!

Regarding the API_EnableSharingWithAwsOrganization call. Maybe somebody could double-check that? I only managed to get everything working after manually clicking on the console.

@bflad
Copy link
Contributor

bflad commented Feb 14, 2019

The new aws_ram_principal_association resource has also been merged and will release with version 1.59.0 of the Terraform AWS Provider, in the next hour or so.

For additional feature requests (e.g. a resource to accept a RAM invitation) or bug reports with Resource Access Manager functionality, please open new GitHub issues. Thanks!

@bflad
Copy link
Contributor

bflad commented Feb 14, 2019

The above has been released in version 1.59.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@alokcheerful
Copy link

alokcheerful commented Feb 15, 2019

Please can you'll share sample signature examples of aws_ram_principal_association & aws_ram_resource_association. Not seeing it on the documentation. Looking for input attributes name/type and so on. Thanks

@alokcheerful
Copy link

Never mind, I found it. Looks like they are not appearing in the search engines just yet

https://www.terraform.io/docs/providers/aws/r/ram_principal_association.html
https://www.terraform.io/docs/providers/aws/r/ram_resource_association.html

@tbugfinder
Copy link
Contributor

I'm wondering how to use it.

aws_ram_resource_share doesn't have an output of the ARN but those other new resources require an ARN as input.

Documentation https://www.terraform.io/docs/providers/aws/r/ram_principal_association.html is wrong. Although the property name is ARN an ID is passed which cannot be applied.

@alokcheerful
Copy link

@tbugfinder I had the same question myself. Found out that ID is actually what they call the ARN

@alokcheerful
Copy link

@tbugfinder thanks, you are correct. Thanks for pointing this out. I saw the terraform plan succeed for me when passing ID. Looks like the actual apply fails

@rayterrill
Copy link
Contributor

@bflad : thanks for the reply!

Regarding the API_EnableSharingWithAwsOrganization call. Maybe somebody could double-check that? I only managed to get everything working after manually clicking on the console.

Just happened to see this issue. I also had to manually click the "Enable sharing within your AWS Organization" in the console - is there no Terraform resource or property to be able to toggle that?

@ghost
Copy link

ghost commented Nov 2, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Nov 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
new-resource Introduces a new resource. service/ram Issues and PRs that pertain to the ram service.
Projects
None yet
8 participants