Terraform-provider-aws: New Resource: aws_resource_share_accepter

Created on 19 Feb 2019 · 14Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Use AWS Resource Access Manager to share AWS resources between AWS accounts. To share a resource, you create a resource share, associate the resource with the resource share, and specify the principals that can access the resource. The principal must accept an invitation to be associated with the resource share. This last part, accepting the association invite, is the feature that is currently missing in the Terraform AWS provider.

Create a resource share (aws_ram_resource_share)
Associate target account (aws_ram_principal_association) - this exposed the ARN
Accept the association (new resource required)

After creating a Resource Access Manager share (aws_ram_resource_share), other accounts/principals may be associated with the share. This association (aws_ram_principal_association) establishes an invite that must be accepted by the target account. aws_ram_principal_association.example.id exposes the ARN required for input to (3) aws_ram_principal_accepter.

New or Affected Resource(s)

aws_ram_principal_accepter

Potential Terraform Configuration

resource "aws_ram_principal_accepter" "example" {
  resource_share_invitation_arn = "${aws_ram_principal_association.example.id}"
}

References

new-resource servicram

Source

easttimor

👍48

Most helpful comment

The new aws_ram_resource_share_accepter resource has been merged and will release with version 2.24.0 of the Terraform AWS Provider, tomorrow. Special thanks to @YakDriver, @ewbankkit, and @lorengordon who were instrumental in helping get this added.

Please note: this resource will accept a RAM Resource Share ARN directly, rather than requiring the need to fetch a RAM Resource Share Invitation ARN. The resource documentation will show an example multi-account setup with aws_ram_resource_share, aws_ram_principal_association, and this new resource. 👍

bflad on 14 Aug 2019

🎉2

All 14 comments

Is there a workaround solution to accept request on the destination part? That will be useful especially transit gateway operations

umitseremet on 26 Feb 2019

@umitseremet I'm facing the same issue but didn't yet worked on a workaround implementation. But if I would implement it right now I would try it with a null_resource and call to aws-cli https://docs.aws.amazon.com/cli/latest/reference/ram/accept-resource-share-invitation.html.

hatched-DavidMichon on 28 Feb 2019

yes @hatched-DavidMichon it seems the only way can be applied, but especially on re-create or destroy operations it will be a problem. The only way seems to do it manual or cli, and applying import after the module is published

umitseremet on 1 Mar 2019

soumitmishra on 1 Apr 2019

dmatkovic on 1 Apr 2019

sadok-f on 1 Apr 2019

I did a similar work for Transit Gateway attachment accepter using a lambda function (aws_lambda_function) and a cloudformation stack (aws_cloudformation_stack).

The idea is to create a cloudformation stack that calls a lambda function who assumes role of the accepter AWS account to accept the request. Cloudformation stack has a "delete" phase so you can also handle this process in your lambda function to actually do necessary/required cleanup.

Here's an example for VPC peering https://github.com/awslabs/aws-cloudformation-templates/tree/master/aws/solutions/VPCPeering that I use and adapt for my needs.

This could be a temporary workaround until resources are available on TF.

hatched-DavidMichon on 1 Apr 2019

@umitseremet @torr201812 @hatched-DavidMichon Please see #8259 and provide 👍 and any feedback.

YakDriver on 9 Apr 2019

👍1

If your different accounts are under a single organization, there is an option in the Resource Access Manager console under the "Settings" tab for the master account called "Enable Sharing". Once checked, according to AWS:

When you share resources within your organization, AWS RAM does not send invitations to principals. Principals in your organization get access to shared resources without exchanging invitations.

MMarulla on 11 Apr 2019

Any updates on this :Accept the association (new resource required)

Ricomlb on 19 Jul 2019

@Ricomlb Not that I know of

YakDriver on 24 Jul 2019

bflad on 14 Aug 2019

🎉2

This has been released in version 2.24.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

hashibot[bot] on 15 Aug 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 1 Nov 2019

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Plans to support more custom endpoints in provider AWS (lambda, apigateway, ...)

hashibot · 3Comments

AWS Security Group Rule protocol/port error.

gothrek22 · 3Comments

Provide releases more often

dvishniakov · 3Comments

providers/aws aws_instance not importing network interfaces

ghost · 3Comments

aws_elasticsearch_domain: vpc_options - subnet_ids asks for list but can only be a single value.

ccslamstack · 3Comments