aws-ram-resource-share-acceptor-cdk-construct
v1.2.1
Published
An AWS CDK construct designed to automate acceptance of a resource shared via AWS RAM from a different account.
Downloads
118
Readme
An AWS CDK construct designed to automate acceptance of a resource shared via AWS RAM from a different account.
It is compiled with JSII and is intended to be usable in Go, Java, Javascript (Node), .NET, and Python.
how it works
Suppose you want to use AWS Resource Access Manager to share a resource between accounts, and you want to manage this with AWS CDK.
There are two halves to sharing your resource with another account:
- in the resource owner account ("sender account"), create a CfnResourceShare construct to initiate sharing;
- in the receiver account, accept the resource share. But how? There is no equivalent CDK construct!
This package implements a generic way to accept resource shares through AWS Resource Access Manager in your CDK, then to reference that resource's ARN in the rest of your CDK code. This library supports all shareable AWS resources.
The key construct is RamSharedResource. It represents a single shared resource.
Configure this construct with your resource's identifying information (resource type, owner account ID, etc).
Here's how it is designed to behave:
Case A:
If RamSharedResource finds this resource already accepted, then it will not do anything further
but simply provide the resource ARN to your stack.
Case B: If instead it does not find the resource but finds an invitation for it, then it will accept the invitation. Now we are in Case A.
Case C:
If RamSharedResource does not find the resource nor an invitation for it, then it will fail creation or update.
By default, RamSharedResource re-looks for the given resource on all stack updates, even if its own
inputs haven't changed. This mode helps surface problems earlier and closer to the root cause.
usage example
In this example, account 000111222333 has an API Gateway private API, creates a custom domain name for it, and wants to share this custom domain name with account 123456789012.
in resource owner account (000111222333)
import * as apigw from "aws-cdk-lib/aws-apigateway";
import * as ram from "aws-cdk-lib/aws-ram";
const pcd = new apigw.CfnDomainNameV2(...); // resource you are sharing
new ram.CfnResourceShare(this, "pcd-public-share", {
name: "ApiGwPrivateDomainName",
principals: ["123456789012"],
resourceArns: [pcd.attrDomainNameArn],
});Once this is deployed, Resource Access Manager will extend an invitation to account 123456789012 to have access to the custom domain name. That account will have 12 hours to accept.
in resource receiver account (123456789012)
import { RamSharedResource } from "aws-ram-resource-share-acceptor-cdk-construct";
const pcd = new RamSharedResource(this, "ram-shared-pcd", {
resourceType: "apigateway:Domainnames",
senderAccountId: "000111222333",
shareName: "ApiGwPrivateDomainName"
};
new apigw.CfnDomainNameAccessAssociation(this, "dnaa", {
domainNameArn: pcd.resourceArn, // reference the received resource
...
});The three arguments to RamSharedResource are intended to narrow down which shared resource you intend to accept. All three are required.
resourceTypeis documented at AWS shareable resources;shareNamemust match thenameattribute ofram.CfnResourceShareon the sender/owner side.
Once this is deployed, a Lambda function will run, look for the invitation matching the filters, and accept it.
development / contributing
I welcome ideas for improvements. Please lead with an issue so that we can discuss the customer problem and agree on a solution.
This library is written in TypeScript, band it uses JSII to package it for several other languages. The project's CI workflow builds this library and verifies that it can build for all the supported languages. The CI workflow publishes this library on npmjs, but not in any other language's package manager (yet).
This library has unit tests. These run automatically for every commit and merge request.
This library also has a test application. The test application sets up infrastructure in both accounts, owner and receiver. If you make a change to the library, use the test application to verify that the library still works.
