RAM resource share data source doesn't expose underlying resource_arn

[gavinclarkeuk]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

There isn't currently anyway to get the ARN of the underlying resource of a ram_resource_share via terraform. There is an existing ram_resource_share data source, but the attributes only relate to the share itself, not the underlying resource.

For example we've shared a an ACM Private CA in our org and we want to provide engineers a clean way of issuing certificates via terraform. To do that they need to provide the ARN of the Private CA. The only way we can do this right now is hard coding the arn, which is nasty.

New or Affected Resource(s)

• aws_ram_resource_share (data source)

Potential Terraform Configuration

Would like to be able to do something like this:

data "aws_ram_resource_share" "example" {
  name           = "my-private-ca"
  resource_owner = "OTHER-ACCOUNTS"
}

output "private_ca_arn" {
  value = data.aws_ram_resource_share.example.resource_arn
}

References

• #0000

[justinretzolk]

Hey @gavinclarkeuk 👋 Thank you for taking the time to file this. I took a quick look, and it looks like this would need to use a slightly different API endpoint; the ListResource endpoint (relevant portion of the SDK can be found here). I say this mostly as initial information for anyone who might pick this up to work on.

In the meantime, for your particular situation, are you creating the share using a aws_ram_resource_share resource and a aws_ram_resource_association resource? If so, perhaps you could output the ARN from there?

[gavinclarkeuk]

Hey @justinretzolk, we are creating the share using an aws_ram_resource_share and aws_ram_resource_association, however the share lives in a completely separate project to the project(s) where we need to consume the ARN. We could potentially output the ARN, and jump through hoops to store it somewhere accessible for the consuming projects (e.g. SSM in the downstream accounts), but that seems quite convoluted when this data is already available in downstream accounts. Similarly accessing remote state access is something we'd rather avoid as there are different security requirements for the upstream/downstream state files.

And in case anyone was wondering why I don't just use the aws_acmpca_certificate_authority data source for my use case, it is because it requires some additional permissions that we don't actually need/want to grant in the downstream accounts to use the CA.

This isn't a huge issue for us, it just felt like a gap in the current implementation that should be reasonably simple to fix.

[justinretzolk]

Thank you for the additional information and context @gavinclarkeuk! I've added labels so that we can look into this as soon as time permits. Thank you again for your feedback!

[nicolaei]

I took a shot at implementing this!

Check out #22591 😄

[onitake]

Would it be possible to export other information about the underlying shared resource as well?

I'd like to use the RAM data source to link to a shared Transit Gateway, and most related APIs deal with the TGW ID, not its ARN. The ID is of the form tgw-123456789abcdef. A useful Terraform resource would be aws_ec2_transit_gateway_vpc_attachment, which requires the TGW ID.

As an alternative, I tried to obtain the ID from the ARN with a aws_ec2_transit_gateway data source, but the filter (and the used DescribeTransitGateways API) do not support querying by ARN.

[github-actions]

This functionality has been released in v5.13.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.