From 8c014bb23f0cbcc8abe6063bc40e281a565f8e8f Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Wed, 25 Jun 2025 08:19:55 -0400
Subject: [PATCH] * 2.12.1 -- 2025-06-25   - share-resources     - remove
 share_explict_enabled     - fix ram resource share to share subnets only once

---
 CHANGELOG.md                 |  5 +++++
 common/version.tf            |  2 +-
 share-resources/README.md    |  4 +---
 share-resources/share.tf     | 18 ++++++++----------
 share-resources/variables.tf | 10 ----------
 5 files changed, 15 insertions(+), 24 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7a5459a..16bb6dc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -479,3 +479,8 @@
 * 2.12.0 -- 2025-06-23
   - share-resources
     - add share_explict_enabled to force creation of aws_ram_resource_association, not needed within the same organization and sharing enabled
+
+* 2.12.1 -- 2025-06-25
+  - share-resources
+    - remove share_explict_enabled
+    - fix ram resource share to share subnets only once
diff --git a/common/version.tf b/common/version.tf
index afa03be..54ea97f 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.12.0"
+  _module_version = "2.12.1"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 
diff --git a/share-resources/README.md b/share-resources/README.md
index af84da5..d09fdb7 100644
--- a/share-resources/README.md
+++ b/share-resources/README.md
@@ -99,8 +99,7 @@ No modules.
 |------|------|
 | [aws_ram_principal_association.subnets_accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_principal_association) | resource |
 | [aws_ram_principal_association.subnets_organizational_units](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_principal_association) | resource |
-| [aws_ram_resource_association.subnets_accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_association) | resource |
-| [aws_ram_resource_association.subnets_organizational_units](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_association) | resource |
+| [aws_ram_resource_association.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_association) | resource |
 | [aws_ram_resource_share.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_share) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_arn.org_master_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
@@ -125,7 +124,6 @@ No modules.
 | <a name="input_private_subnets_ids"></a> [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id, arn, tags | <pre>list(object({<br/>    subnet            = string<br/>    label             = string<br/>    availability_zone = string<br/>    id                = string<br/>    arn               = optional(string, null)<br/>    tags              = optional(map(string), {})<br/>  }))</pre> | `[]` | no |
 | <a name="input_share_account_list"></a> [share\_account\_list](#input\_share\_account\_list) | List of AWS Account IDs to share VPC/subnets into.  If the account is not part of the organziation, this will produce an error. | `list(string)` | `[]` | no |
 | <a name="input_share_enabled"></a> [share\_enabled](#input\_share\_enabled) | Flag indiciating whether to share resources to other accounts and OUs | `bool` | `false` | no |
-| <a name="input_share_explicit_enabled"></a> [share\_explicit\_enabled](#input\_share\_explicit\_enabled) | Flag indiciating whether to share resources explicitly | `bool` | `false` | no |
 | <a name="input_share_organizational_unit_list"></a> [share\_organizational\_unit\_list](#input\_share\_organizational\_unit\_list) | List of Organizational Unit IDs to share VPC/subnets into.  This does not check if they are OUs. | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection) | `string` | `null` | no |
diff --git a/share-resources/share.tf b/share-resources/share.tf
index 5de80ae..62b8fa9 100644
--- a/share-resources/share.tf
+++ b/share-resources/share.tf
@@ -51,6 +51,7 @@ resource "aws_ram_resource_share" "subnets" {
 ##   resource_share_arn = aws_ram_resource_share.subnets[each.key].arn
 ## }
 
+
 #---
 # accounts
 #---
@@ -69,12 +70,6 @@ resource "aws_ram_principal_association" "subnets_accounts" {
   resource_share_arn = aws_ram_resource_share.subnets[each.value.subnet_id].arn
 }
 
-resource "aws_ram_resource_association" "subnets_accounts" {
-  for_each           = var.share_enabled && var.share_explicit_enabled ? local.share_account_map : {}
-  resource_arn       = each.value.subnet_arn
-  resource_share_arn = aws_ram_resource_share.subnets[each.value.subnet_id].arn
-}
-
 #---
 # organizational units
 #---
@@ -94,8 +89,11 @@ resource "aws_ram_principal_association" "subnets_organizational_units" {
   resource_share_arn = aws_ram_resource_share.subnets[each.value.subnet_id].arn
 }
 
-resource "aws_ram_resource_association" "subnets_organizational_units" {
-  for_each           = var.share_enabled && var.share_explicit_enabled ? local.share_organizational_unit_map : {}
-  resource_arn       = each.value.subnet_arn
-  resource_share_arn = aws_ram_resource_share.subnets[each.value.subnet_id].arn
+#---
+# subnets
+#---
+resource "aws_ram_resource_association" "subnets" {
+  for_each           = var.share_enabled && (length(local.share_organizational_unit_map) > 0 || length(local.share_account_map) > 0) ? local.shared_subnets : {}
+  resource_arn       = each.value.arn
+  resource_share_arn = aws_ram_resource_share.subnets[each.key].arn
 }
diff --git a/share-resources/variables.tf b/share-resources/variables.tf
index c9828be..82ad9e5 100644
--- a/share-resources/variables.tf
+++ b/share-resources/variables.tf
@@ -16,16 +16,6 @@ variable "share_enabled" {
   default     = false
 }
 
-# this is to disable the creation of the aws_ram_resource_association, not necessary within the same organization
-# with sharing enabled.  See:
-# https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html
-
-variable "share_explicit_enabled" {
-  description = "Flag indiciating whether to share resources explicitly"
-  type        = bool
-  default     = false
-}
-
 variable "share_account_list" {
   description = "List of AWS Account IDs to share VPC/subnets into.  If the account is not part of the organziation, this will produce an error."
   type        = list(string)