AWS RAM Principal Association
This page shows how to write Terraform and CloudFormation for AWS RAM Principal Association and write them securely.
aws_ram_principal_association (Terraform)
The Principal Association in AWS RAM can be configured in Terraform with the resource name aws_ram_principal_association. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ram_principal_association" "this_vpc1" {
principal = var.vpc_attachments["vpc1"].account_id
resource_share_arn = aws_ram_resource_share.this.arn
}
resource "aws_ram_principal_association" "apptest0toapptest1" {
provider = aws.apptest0
depends_on = [aws_ram_resource_association.main]
principal = data.aws_caller_identity.apptest1.account_id
resource "aws_ram_principal_association" "internet" {
resource_share_arn = aws_ram_resource_share.internet.arn
principal = local.organization.arn
}
resource "aws_ram_principal_association" "_" {
principal = data.aws_organizations_organization._.arn
resource_share_arn = aws_ram_resource_share._.arn
resource "aws_ram_principal_association" "this" {
principal = var.principal
resource_share_arn = var.resource_share_arn
# The invitation sometime takes a few seconds to propagate
provisioner "local-exec" {
Parameters
-
idoptional computed - string -
principalrequired - string -
resource_share_arnrequired - string
Explanation in Terraform Registry
Provides a Resource Access Manager (RAM) principal association. Depending if RAM Sharing with AWS Organizations is enabled, the RAM behavior with different principal types changes. When RAM Sharing with AWS Organizations is enabled:
- For AWS Account ID, Organization, and Organizational Unit principals within the same AWS Organization, no resource share invitation is sent and resources become available automatically after creating the association.
- For AWS Account ID principals outside the AWS Organization, a resource share invitation is sent and must be accepted before resources become available. See the
aws_ram_resource_share_accepterresource to accept these invitations. When RAM Sharing with AWS Organizations is not enabled:- Organization and Organizational Unit principals cannot be used.
- For AWS Account ID principals, a resource share invitation is sent and must be accepted before resources become available. See the
aws_ram_resource_share_accepterresource to accept these invitations.
AWS::RAM::ResourceShare (CloudFormation)
The ResourceShare in RAM can be configured in CloudFormation with the resource name AWS::RAM::ResourceShare. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::RAM::ResourceShare
DependsOn: TransitGateway
Properties:
AllowExternalPrincipals: false
Name: "Transit Gateway Resource Share"
ResourceArns:
Type: AWS::RAM::ResourceShare
DependsOn: TransitGateway
Properties:
AllowExternalPrincipals: false
Name: "Transit Gateway Resource Share"
ResourceArns:
Type: AWS::RAM::ResourceShare
Properties:
AllowExternalPrincipals: true
Name: mesh-share
Principals:
- !Ref ConsumerAccountId
Type: AWS::RAM::ResourceShare
Properties:
AllowExternalPrincipals: true
Name: mesh-share
Principals:
- !Ref ConsumerAccountId
Type: AWS::RAM::ResourceShare
Properties:
AllowExternalPrincipals: true
Name: mesh-share
Principals:
- !Ref ConsumerAccountId
"Type": "AWS::RAM::ResourceShare",
"Properties": {
"Name": {
"Ref": "ResourceShareName"
},
"AllowExternalPrincipals": false,
"Type": "AWS::RAM::ResourceShare",
"Properties": {
"Name": {
"Ref": "ResourceShareName"
},
"AllowExternalPrincipals": false,
"AWS::RAM::ResourceShare": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ram-resourceshare.html",
"Attributes": {
"Arn": {
"PrimitiveType": "String"
}
"AWS::RAM::ResourceShare": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ram-resourceshare.html",
"Attributes": {
"Arn": {
"PrimitiveType": "String"
}
"AWS::RAM::ResourceShare": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ram-resourceshare.html",
"Attributes": {
"Arn": {
"PrimitiveType": "String"
}
Parameters
-
PermissionArnsoptional - List -
Principalsoptional - List -
AllowExternalPrincipalsoptional - Boolean -
ResourceArnsoptional - List -
Tagsoptional - List of Tag -
Namerequired - String
Explanation in CloudFormation Registry
Specifies a resource share.
Frequently asked questions
What is AWS RAM Principal Association?
AWS RAM Principal Association is a resource for RAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS RAM Principal Association?
For Terraform, the frednotet/msm-tf-aws-tgw, Graham-M/terraform-transit-gw-example and cicdenv/cicdenv source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the deiselira/aws, deiselira/aws and awsandy/ecs-workshop source code examples are useful. See the CloudFormation Example section for further details.
