New Resource: aws_resource_share_accepter

[easttimor]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Use AWS Resource Access Manager to share AWS resources between AWS accounts. To share a resource, you create a resource share, associate the resource with the resource share, and specify the principals that can access the resource. The principal must accept an invitation to be associated with the resource share. This last part, accepting the association invite, is the feature that is currently missing in the Terraform AWS provider.

1. Create a resource share (aws_ram_resource_share)
2. Associate target account (aws_ram_principal_association) - this exposed the ARN
3. Accept the association (new resource required)

After creating a Resource Access Manager share (aws_ram_resource_share), other accounts/principals may be associated with the share. This association (aws_ram_principal_association) establishes an invite that must be accepted by the target account. aws_ram_principal_association.example.id exposes the ARN required for input to (3) aws_ram_principal_accepter.

New or Affected Resource(s)

• aws_ram_principal_accepter

Potential Terraform Configuration

resource "aws_ram_principal_accepter" "example" {
  resource_share_invitation_arn = "${aws_ram_principal_association.example.id}"
}

References

• Feature Request: AWS Resource Access Manager #6527 (closed)
• https://www.terraform.io/docs/providers/aws/r/ram_principal_association.html
• https://docs.aws.amazon.com/cli/latest/reference/ram/accept-resource-share-invitation.html
• https://aws.amazon.com/blogs/aws/new-aws-resource-access-manager-cross-account-resource-sharing/
• https://docs.aws.amazon.com/cli/latest/reference/ram/index.html#cli-aws-ram

[umitseremet]

Is there a workaround solution to accept request on the destination part? That will be useful especially transit gateway operations

[hatched-DavidMichon]

@umitseremet I'm facing the same issue but didn't yet worked on a workaround implementation. But if I would implement it right now I would try it with a null_resource and call to aws-cli https://docs.aws.amazon.com/cli/latest/reference/ram/accept-resource-share-invitation.html.

[umitseremet]

yes @hatched-DavidMichon it seems the only way can be applied, but especially on re-create or destroy operations it will be a problem. The only way seems to do it manual or cli, and applying import after the module is published

[hatched-DavidMichon]

I did a similar work for Transit Gateway attachment accepter using a lambda function (aws_lambda_function) and a cloudformation stack (aws_cloudformation_stack).

The idea is to create a cloudformation stack that calls a lambda function who assumes role of the accepter AWS account to accept the request. Cloudformation stack has a "delete" phase so you can also handle this process in your lambda function to actually do necessary/required cleanup.

Here's an example for VPC peering https://github.com/awslabs/aws-cloudformation-templates/tree/master/aws/solutions/VPCPeering that I use and adapt for my needs.

This could be a temporary workaround until resources are available on TF.

[YakDriver]

@umitseremet @torr201812 @hatched-DavidMichon Please see #8259 and provide 👍 and any feedback.

[MMarulla]

If your different accounts are under a single organization, there is an option in the Resource Access Manager console under the "Settings" tab for the master account called "Enable Sharing". Once checked, according to AWS:

When you share resources within your organization, AWS RAM does not send invitations to principals. Principals in your organization get access to shared resources without exchanging invitations.

[ghost]

Any updates on this :Accept the association (new resource required)

[YakDriver]

@Ricomlb Not that I know of

[bflad]

The new aws_ram_resource_share_accepter resource has been merged and will release with version 2.24.0 of the Terraform AWS Provider, tomorrow. Special thanks to @YakDriver, @ewbankkit, and @lorengordon who were instrumental in helping get this added.

Please note: this resource will accept a RAM Resource Share ARN directly, rather than requiring the need to fetch a RAM Resource Share Invitation ARN. The resource documentation will show an example multi-account setup with aws_ram_resource_share, aws_ram_principal_association, and this new resource. 👍

[ghost]

This has been released in version 2.24.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!