Terraform-provider-aws: aws_ram_resource_share unable to share resource

Created on 28 Feb 2019 · 10Comments · Source: hashicorp/terraform-provider-aws

Scenario: Trying to share resource from one account to another which belong to same organization.
When i try to run aws_ram_resource_share with option allow_external_principals: false i get error

aws_ram_resource_share.Test: Error updating RAM resource share arn:aws:ram:us-east-1:XXXXXXXXXXXX:resource-share/XXXXXXXXXXXX: OperationNotPermittedException: The resource you are attempting to share can only be shared within your AWS Organization. This error may also occur if you have not enabled sharing with your AWS organization, or that onboarding process is still in progress.
status code: 400, request id: XXXXXXXXXXXX

Terraform V 0.11.11

Affected Resource(s)

aws_ram_resource_share

[root@xxxxTGW]# terraform apply
provider.aws.region
The region where AWS operations will take place. Examples
are us-east-1, us-west-2, etc.

Default: us-east-1
Enter a value:

aws_ram_resource_share.Test: Refreshing state... (ID: arn:aws:ram:us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX:reso...e/XXXXXXXXXXXXXXXXXXXXXXXX)
aws_ec2_transit_gateway.Test: Refreshing state... (ID: tgw-XXXXXXXXXXXXXXXXXXXXXXXX)
aws_ec2_transit_gateway_route_table.Test: Refreshing state... (ID: tgw-rtb-XXXXXXXXXXXXXXXXXXXXXXXX)
aws_ram_principal_association.Test: Refreshing state... (ID: arn:aws:ram:us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX:reso...-XXXXXXXXXXXXXXXXXXXXXXXX)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:

create
~ update in-place

Terraform will perform the following actions:

aws_ram_resource_association.Test
id:
resource_arn: "arn:aws:ec2:us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX:transit-gateway/tgw-XXXXXXXXXXXXXXXXXXXXXXXX"
resource_share_arn: "arn:aws:ram:us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX:resource-shareXXXXXXXXXXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXXXXXXXXXX"

~ aws_ram_resource_share.Test
allow_external_principals: "true" => "false"

Plan: 1 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

aws_ram_resource_share.Test: Modifying... (ID: arn:aws:ram:us-east-XXXXXXXXXXXXXXXXXXXXXXXX:reso...e/XXXXXXXXXXXXXXXXXXXXXXXX)
allow_external_principals: "true" => "false"

Error: Error applying plan:

1 error(s) occurred:

aws_ram_resource_share.Test: 1 error(s) occurred:
aws_ram_resource_share.Test: Error updating RAM resource share arn:aws:ram:us-east-XXXXXXXXXXXXXXXXXXXXXXXX:resource-share/XXXXXXXXXXXXXXXXXXXXXXXX: OperationNotPermittedException: The resource you are attempting to share can only be shared within your AWS Organization. This error may also occur if you have not enabled sharing with your AWS organization, or that onboarding process is still in progress.
status code: 400, request id: XXXXXXXXXXXXXXXXXXXXXXXX

needs-triage servicram

Source

vikten22

Most helpful comment

I hit this issue recently and found a solution. In the master account for your organization under the "settings" for "Resource Access Manager" I had to "Enable account sharing within your AWS organization"... I had to do this manually but there may be a better way. Docs here: https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html

neilhaggerty on 8 Mar 2019

👍3

All 10 comments

Could you add your TF code too?
Which provider version is used?

tbugfinder on 1 Mar 2019

@tbugfinder code used

Provider Version
aws-cli/1.16.114 Python/2.7.5 Linux/3.10.0-862.9.1.el7.x86_64 botocore/1.12.104

CODE Below

#aws_ec2_transit_gateway
resource "aws_ec2_transit_gateway" "TGW" {
  description = "XXXXXXXXXXXX Transit Gateway"

  tags = {
    Name            = "XXXXXXXXXXXX"
    Application     = "TransitGateway"
    BusinessService = "$Account-Application-$Environment"
    CostCenter      = "XXXXXXXXXXXX"
    TFManaged       = "derived from git repo"
    Company         = "XXX"
    Environment     = "Prod"
    Function        = "Transit_Gateway"
    Account         = "XXXXXXXXXXXX"
  }

  amazon_side_asn                 = "XXXXXXXXXXXX"
  auto_accept_shared_attachments  = "disable"
  default_route_table_association = "disable"
  default_route_table_propagation = "disable"
  dns_support                     = "disable"
  vpn_ecmp_support                = "disable"
}

#aws_ec2_transit_gateway_route_table

resource "aws_ec2_transit_gateway_route_table" "RouteTable" {
  transit_gateway_id = "${aws_ec2_transit_gateway.TGW.id}"

  tags = {
    Name            = "XXXXXXXXXXXX"
    Application     = "TransitGateway"
    BusinessService = "$Account-Application-$Environment"
    CostCenter      = "XXXXXXXXXXXX"
    TFManaged       = "derived from git repo"
    Company         = "XXX"
    Environment     = "Prod"
    Function        = "$Application"
    Account         = "XXXXXXXXXXXX"
  }
}

#Will share this TransitGateway using AWS RAM
#aws_ram_resource_share

resource "aws_ram_resource_share" "TGW" {
  name = "Test"

  allow_external_principals = true
  tags = {
    Environment = "Production"
  }
}

#aws_ram_principal_association
#AWS Account ID  "XXXXXXXXXXXX", "XXXXXXXXXXXX"
resource "aws_ram_principal_association" "XXXXXXXXXXXX" {
  principal          = "XXXXXXXXXXXX"
  resource_share_arn = "${aws_ram_resource_share.TGW.id}"
}

#aws_ram_resource_association

resource "aws_ram_resource_association" "XXXXXXXXXXXX" {
  resource_arn       = "${aws_ec2_transit_gateway.TGW.arn}"
  resource_share_arn = "${aws_ram_resource_share.TGW.id}"
}

(Maintainer Edit (@bflad): Added triple backticks for GitHub formatting)

vikten22 on 4 Mar 2019

neilhaggerty on 8 Mar 2019

👍3

Given the error message from the RAM service, it would also be helpful to know if an IAM policy is in place to restrict sharing with external AWS accounts: https://docs.aws.amazon.com/ram/latest/userguide/control-access.html#control-access-owner-external

bflad on 8 Mar 2019

@bflad IAM policy is good
@neilhaggerty I Enabled the sharing option and did try to run the terraform with below scenarios nothing seems to be working. However my accounts belong to same org. I used org id and org arn for principal in my terraform in different scenarios and provided the error message.

Scenario-1
with allow_external_principals: "true"
principal = "o-XXXXXXXX" and i get below error

aws_ram_principal_association.TGW: Error associating principal with RAM resource share: InvalidParameterException: Principal ID o-XXXXXXXXXX is malformed. Verify the ID and try again.
status code: 400, request id: ************

Scenario-2
with allow_external_principals: "true"
principal = "org arn" and i get below error

aws_ram_principal_association.TGW: Error associating principal with RAM resource share: UnknownResourceException: Organization o-XXXXXX could not be found.
status code: 400, request id: ************

Scenario-3
with allow_external_principals: "false"
principal = "org arn" and i get below error

aws_ram_resource_share.TGW: Error updating RAM resource share arn:aws:ram:us-east-1:XXXXXXXXXXX:resource-share/***********: OperationNotPermittedException: The resource you are attempting to share can only be shared within your AWS Organization. This error may also occur if you have not enabled sharing with your AWS organization, or that onboarding process is still in progress.
status code: 400, request id: ***********

Scenario-4
with allow_external_principals: "false"
principal = "o-XXXXXXXX" and i get below error

aws_ram_resource_share.TGW: Error updating RAM resource share arn:aws:ram:us-east-1:XXXXXXXXXX:resource-share/***********: OperationNotPermittedException: The resource you are attempting to share can only be shared within your AWS Organization. This error may also occur if you have not enabled sharing with your AWS organization, or that onboarding process is still in progress.
status code: 400, request id: ***********

vikten22 on 11 Mar 2019

As per terraform Documentation, Org ID is supposed to be used for principal. However, it doesn't work for few scenarios here and If i use org arn, it does pick up the ID from that and throws error could not be found.

vikten22 on 11 Mar 2019

I just had a similar issue and I found out that I my IDs were wrong.
I think that in your case it should be:

#AWS Account ID  "XXXXXXXXXXXX", "XXXXXXXXXXXX"
resource "aws_ram_principal_association" "XXXXXXXXXXXX" {
  principal          = "XXXXXXXXXXXX"
  resource_share_arn = "${aws_ram_resource_share.TGW.arn}"
}

#aws_ram_resource_association

resource "aws_ram_resource_association" "XXXXXXXXXXXX" {
  resource_arn       = "${aws_ec2_transit_gateway.TGW.arn}"
  resource_share_arn = "${aws_ram_resource_share.TGW.arn}"
}

mihailgmihaylov on 15 Mar 2019

I believe the error is due to the requirement that the ec2_transit_gateway resource must have the option allow_external_principals: true. Setting the option to false always raises an error as it is an invalid configuration. The same error is also displayed using the AWS RAM console attempting to set external principals to false.

codyrat on 3 Jul 2019

Hi folks 👋 This appears to be answered above. If you are still running into trouble or think our documentation can be improved, please submit a new issue following one of the issue templates and we'll take a look. 👍 Thanks.

bflad on 14 Aug 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 1 Nov 2019

Was this page helpful?

0 / 5 - 0 ratings

Related issues

aws_cloudfront_distribution - "Only one viewer certificate change may be in progress at a time"

hashibot · 3Comments

Feature request: S3 Cross-Region Replication with KMS

modax · 3Comments

tainting an ecs service and running terraform apply receives Creation of service was not idempotent

hashibot · 3Comments

providers/aws aws_instance not importing network interfaces

ghost · 3Comments

Plans to support more custom endpoints in provider AWS (lambda, apigateway, ...)

hashibot · 3Comments