When a subnet is shared, the participant account can see and use the subnet. However, the participant account cannot see the tags on the subnet that were created in the owner account. The subnet can be tagged in the participant account, however, with a separate set of tags only visible in the participant. This is also true for the vpc and other resources.

We also need to be able to tag the shared resources, especially the vpc and the subnets, in the participant account so that other software running in the participant account can use those tags.

This feature request is especially useful for AWS Transit Gateway.

The first resource for managing resource shares themselves, aws_ram_resource_share, has been merged and will release with version 1.56.0 of the Terraform AWS provider, likely in the next day or two.

Managing associations with resource shares will likely land in a separate resource (see also https://github.com/terraform-providers/terraform-provider-aws/pull/6528#issuecomment-449391917).

The new aws_ram_resource_share resource has been released in version 1.56.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

Any updates on support for managing associations using AWS RAM?? @bflad

6528

resource "aws_ram_principal_association" "example" {
  resource_share_arn = "${aws_ram_resource_share.example.arn}"
  principal = "123456789012"
  # external - calculated field that is only applicable to principals associated to a resource share
}

I submitted a pull request for a new aws_ram_resource_association resource (#7449), but I'm receiving an error I cannot get past in the acceptance testing when calling AssociateResourceShare:

{"__type":"InvalidParameterException","message":"Your account ID does not exist in an AWS organization."}

This error occurs for me:

• Whether the AWS account is within an AWS Organizations Organization or a completely standalone AWS account
• With the Resource Access Manager IAM Service Linked Role (ram.amazonaws.com/AWSServiceRoleForResourceAccessManager) already existing in the accounts
• Also in the RAM web console, but only when associating the resource _after_ creating the RAM Resource Share. Creating the RAM Resource Share and specifying the resource association during creation works.

It seems like a bug in the RAM service, but if someone is familiar with that scenario before I open an AWS Support case, it would be super helpful. Thanks!

Hi @bflad, thanks for the commit.

Could you take a look at the #6884 Issue?
This is critical for many business at the moment.
When can we expect the next version release?

Thank you

Could you take a look at the #6884 Issue?

I provided an initial comment when it was first opened. I would suggest commenting on that issue if you have specific questions/feedback/concerns as it is unrelated to this feature request.

When can we expect the next version release?

We typically release every week, but Terraform 0.12 related work behind the scenes to ensure Terraform core and provider functionality works same as 0.11 has been hampering that recently. We will be cutting a release later today.

Hi @bflad ,
my I kindly ask what the status of this issue is?

Also, I believe terraform is still missing the ability to 'Enable sharing within your AWS Organization' inside RAM Setting. Am I wrong?

The resource aws_ram_resource_share is available, however the keys 'principal' & 'resource_arns' are not. Any update please on when these will be available?

my I kindly ask what the status of this issue is?

A new aws_ram_resource_association resource has been merged and will release with version 1.59.0 of the Terraform AWS Provider, likely in the next day or two. The work-in-progress open pull request for a new aws_ram_principal_association resource (#7219) is awaiting response. If we don't hear back today, we will submit changes on top of the existing work and try to also get that released in version 1.59.0.

The resource aws_ram_resource_share is available, however the keys 'principal' & 'resource_arns' are not. Any update please on when these will be available?

Instead of arguments to the aws_ram_resource_share resource, these will be separate aws_ram_resource_association and aws_ram_principal_association resources to allow for additional Terraform configuration use cases. See above item for status on these.

Also, I believe terraform is still missing the ability to 'Enable sharing within your AWS Organization' inside RAM Setting. Am I wrong?

You are partially correct. Terraform does not directly support the RAM EnableSharingWithAwsOrganization API call, but I believe the two below configurations should make it possible to achieve the same:

# In the master Organizations account
resource "aws_organizations_organization" "example" {
  aws_service_access_principals = [
    # ... potentially other principals ...
    "ram.amazonaws.com",
  ]

  feature_set = "ALL"
}

# I believe in all accounts sharing resources
resource "aws_iam_service_linked_role" "ram" {
  aws_service_name = "ram.amazonaws.com"
}

This should probably be documented somewhere as its likely to be a common question. 😄

@bflad : thanks for the reply!

Regarding the API_EnableSharingWithAwsOrganization call. Maybe somebody could double-check that? I only managed to get everything working after manually clicking on the console.

The new aws_ram_principal_association resource has also been merged and will release with version 1.59.0 of the Terraform AWS Provider, in the next hour or so.

For additional feature requests (e.g. a resource to accept a RAM invitation) or bug reports with Resource Access Manager functionality, please open new GitHub issues. Thanks!

The above has been released in version 1.59.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

Please can you'll share sample signature examples of aws_ram_principal_association & aws_ram_resource_association. Not seeing it on the documentation. Looking for input attributes name/type and so on. Thanks

Never mind, I found it. Looks like they are not appearing in the search engines just yet

https://www.terraform.io/docs/providers/aws/r/ram_principal_association.html
https://www.terraform.io/docs/providers/aws/r/ram_resource_association.html

I'm wondering how to use it.

aws_ram_resource_share doesn't have an output of the ARN but those other new resources require an ARN as input.

Documentation https://www.terraform.io/docs/providers/aws/r/ram_principal_association.html is wrong. Although the property name is ARN an ID is passed which cannot be applied.

@tbugfinder I had the same question myself. Found out that ID is actually what they call the ARN

@tbugfinder thanks, you are correct. Thanks for pointing this out. I saw the terraform plan succeed for me when passing ID. Looks like the actual apply fails

@bflad : thanks for the reply!

Regarding the API_EnableSharingWithAwsOrganization call. Maybe somebody could double-check that? I only managed to get everything working after manually clicking on the console.

Just happened to see this issue. I also had to manually click the "Enable sharing within your AWS Organization" in the console - is there no Terraform resource or property to be able to toggle that?

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!