terraform-provider-aws: Error: error associating RAM Resource Share: InvalidParameterException: The resource you are attempting to share can only be shared within your AWS Organization. This error may also occur if you have not enabled sharing with your AWS organization, or that onboarding process is still in progress.

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.20

provider.aws v2.50.0

Affected Resource(s)

aws_ram_resource_association

Terraform Configuration Files

provider "aws" {
  alias = "networking"
}

# Creating all three confidential subnets
resource "aws_subnet" "app_confidential" {
  count                   = length(var.confidential_cidr_blocks)
  vpc_id                  = var.vpc_id
  cidr_block              = var.confidential_cidr_blocks[count.index]
  availability_zone       = var.availability_zones[count.index]
  map_public_ip_on_launch = false

  tags = merge(map( 
    "Name",               "networking.app-confidential-${substr(var.availability_zones[count.index], 9, 10)}.subnet",
    "verisys:service",    "vpc",
    "verisys:type",       "subnet",
  ), var.tags)
  provider = aws.networking
}
# Creating a resource share to share the subnets across accounts.
resource "aws_ram_resource_share" "app_confidential_resource_share" {
  count                     = length(var.confidential_cidr_blocks)
  name                      = "networking.app-confidential-${substr(var.availability_zones[count.index], 9, 10)}.resource-share"
  allow_external_principals = true

  tags = merge(map( 
    "Name",               "networking.app-confidential-${substr(var.availability_zones[count.index], 9, 10)}.resource-share",
    "verisys:service",    "ram",
    "verisys:type",       "resource-share",
  ), var.tags)
  provider = aws.networking
}
resource "aws_ram_principal_association" "app_confidential_resource_share_principal_association" {
  count              = length(var.confidential_cidr_blocks)
  principal           = var.ou_id
  resource_share_arn = aws_ram_resource_share.app_confidential_resource_share[count.index].arn
  provider           = aws.networking
}
resource "aws_ram_resource_association" "app_confidential_resource_share_resource_association" {
  count              = length(var.confidential_cidr_blocks)
  resource_arn       = aws_subnet.app_confidential[count.index].arn
  resource_share_arn = aws_ram_resource_share.app_confidential_resource_share[count.index].arn
  provider           = aws.networking
}

### Debug Output

<!---
Please provide a link to a GitHub Gist containing the complete debug output. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

To obtain the debug output, see the [Terraform documentation on debugging](https://www.terraform.io/docs/internals/debugging.html).
--->

### Panic Output

<!--- If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the `crash.log`. --->

### Expected Behavior

<!--- What should have happened? --->

### Actual Behavior

it is working fine on the aws side but it is still throwing this error.
### Steps to Reproduce

<!--- Please list the steps required to reproduce the issue. --->

1. `terraform apply`

### Important Factoids

<!--- Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? --->

### References

<!---
Information about referencing Github Issues: https://help.github.com/articles/basic-writing-and-formatting-syntax/#referencing-issues-and-pull-requests

Are there any other GitHub issues (open or closed) or pull requests that should be linked here? Vendor documentation? For example:
--->

* #0000

About this issue

Original URL
State: open
Created 4 years ago
Reactions: 9
Comments: 16 (7 by maintainers)

Most upvoted comments

I don’t know why, but I disabled and enabled it with aws cli, it’s working now:

$ aws organizations disable-aws-service-access --service-principal ram.amazonaws.com $ aws ram enable-sharing-with-aws-organization

+13

rafaelrsantosti on Feb 11, 2021

I can confirm this same experience with a newly created organization. Enable/Disable solved the issue for me as well.

mattmcsparran on Jun 27, 2022

Disable and when Enable again fixed this issue for me.

via terraform on cli/console?

Via Console. it was enable by Terraform already.

yeah same, so the resource still has some issues, it does not enable programatically it seems

tiagoasousa on May 2, 2022

Disable and when Enable again fixed this issue for me.

adv4000 on May 2, 2022

As a workaround I have in module for root of organization:

resource "null_resource" "ram" {
  provisioner "local-exec" {
    command = "aws ram enable-sharing-with-aws-organization"
  }

  triggers = {
    account_id = aws_organizations_organization.this.id
  }
}

ChristophShyper on Feb 11, 2021