* 2.12.0 -- 2025-06-23

- share-resources - add share_explict_enabled to force creation of aws_ram_resource_association, not needed within the same organization and sharing enabled
terraform-modules · Jun 23, 2025 · 3c84970 · 3c84970
1 parent 3974ed8
commit 3c84970
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -476,3 +476,6 @@
   - vpc-interface-endpoint
     - add arn output to vpce_service_info
 
+* 2.12.0 -- 2025-06-23
+  - share-resources
+    - add share_explict_enabled to force creation of aws_ram_resource_association, not needed within the same organization and sharing enabled
diff --git a/common/version.tf b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.11.9"
+  _module_version = "2.12.0"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

diff --git a/share-resources/README.md b/share-resources/README.md
@@ -66,3 +66,75 @@ No modules.
 ## Outputs
 
 No outputs.
+
+<!-- BEGIN_TF_DOCS -->
+# About aws-vpc-setup ::  share-resources
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
+| <a name="requirement_ldap"></a> [ldap](#requirement\_ldap) | >= 0.5.4 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
+| <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0.0 |
+| <a name="provider_aws.org_master"></a> [aws.org\_master](#provider\_aws.org\_master) | >= 4.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ram_principal_association.subnets_accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_principal_association) | resource |
+| [aws_ram_principal_association.subnets_organizational_units](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_principal_association) | resource |
+| [aws_ram_resource_association.subnets_accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_association) | resource |
+| [aws_ram_resource_association.subnets_organizational_units](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_association) | resource |
+| [aws_ram_resource_share.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_share) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_arn.org_master_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.org_master_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [aws_organizations_resource_tags.accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_resource_tags) | data source |
+| [aws_organizations_resource_tags.organizational_units](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_resource_tags) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| <a name="input_org_master_profile"></a> [org\_master\_profile](#input\_org\_master\_profile) | AWS Organization Master account profile | `string` | n/a | yes |
+| <a name="input_org_master_region"></a> [org\_master\_region](#input\_org\_master\_region) | AWS Organization Master region (see docs: https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-organizations.html) | `string` | n/a | yes |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_private_subnets_ids"></a> [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id, arn, tags | <pre>list(object({<br/>    subnet            = string<br/>    label             = string<br/>    availability_zone = string<br/>    id                = string<br/>    arn               = optional(string, null)<br/>    tags              = optional(map(string), {})<br/>  }))</pre> | `[]` | no |
+| <a name="input_share_account_list"></a> [share\_account\_list](#input\_share\_account\_list) | List of AWS Account IDs to share VPC/subnets into.  If the account is not part of the organziation, this will produce an error. | `list(string)` | `[]` | no |
+| <a name="input_share_enabled"></a> [share\_enabled](#input\_share\_enabled) | Flag indiciating whether to share resources to other accounts and OUs | `bool` | `false` | no |
+| <a name="input_share_explicit_enabled"></a> [share\_explicit\_enabled](#input\_share\_explicit\_enabled) | Flag indiciating whether to share resources explicitly | `bool` | `false` | no |
+| <a name="input_share_organizational_unit_list"></a> [share\_organizational\_unit\_list](#input\_share\_organizational\_unit\_list) | List of Organizational Unit IDs to share VPC/subnets into.  This does not check if they are OUs. | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection) | `string` | `null` | no |
+| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| <a name="input_vpc_short_name"></a> [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/share-resources/share.tf b/share-resources/share.tf
@@ -70,7 +70,7 @@ resource "aws_ram_principal_association" "subnets_accounts" {
 }
 
 resource "aws_ram_resource_association" "subnets_accounts" {
-  for_each           = var.share_enabled ? local.share_account_map : {}
+  for_each           = var.share_enabled && var.share_explicit_enabled ? local.share_account_map : {}
   resource_arn       = each.value.subnet_arn
   resource_share_arn = aws_ram_resource_share.subnets[each.value.subnet_id].arn
 }
@@ -95,7 +95,7 @@ resource "aws_ram_principal_association" "subnets_organizational_units" {
 }
 
 resource "aws_ram_resource_association" "subnets_organizational_units" {
-  for_each           = var.share_enabled ? local.share_organizational_unit_map : {}
+  for_each           = var.share_enabled && var.share_explicit_enabled ? local.share_organizational_unit_map : {}
   resource_arn       = each.value.subnet_arn
   resource_share_arn = aws_ram_resource_share.subnets[each.value.subnet_id].arn
 }
diff --git a/share-resources/variables.tf b/share-resources/variables.tf
@@ -16,6 +16,16 @@ variable "share_enabled" {
   default     = false
 }
 
+# this is to disable the creation of the aws_ram_resource_association, not necessary within the same organization
+# with sharing enabled.  See:
+# https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html
+
+variable "share_explicit_enabled" {
+  description = "Flag indiciating whether to share resources explicitly"
+  type        = bool
+  default     = false
+}
+
 variable "share_account_list" {
   description = "List of AWS Account IDs to share VPC/subnets into.  If the account is not part of the organziation, this will produce an error."
   type        = list(string)