Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RAM Sharing to an OU no longer functioning. #15

Closed
apmclean opened this issue Jul 25, 2023 · 1 comment · Fixed by #16
Closed

RAM Sharing to an OU no longer functioning. #15

apmclean opened this issue Jul 25, 2023 · 1 comment · Fixed by #16
Assignees
@apmclean
Labels
bug Something isn't working

Comments

@apmclean
Copy link
Contributor

Describe the bug
Share within an OU

To Reproduce
Any VPC with an ou shared with

  dev:
    style: workloadIsolated
    vpcCidr: 10.0.0.0/16
    subnets:
      workload:
        cidrMask: 18
        sharedWith:
          - ou-abcd-efg

Expected behavior
RAM Share works

Additional context
CloudFormation returns 'OperationNotPermittedException;'
@apmclean apmclean self-assigned this Jul 25, 2023
@apmclean apmclean added the bug Something isn't working label Jul 25, 2023
@apmclean
Copy link
Contributor Author

Originally the code formed a sharing principal ARN using:

            ramPrincipals.push(
              `arn:aws:organizations::${this.account}:ou/${this.props.organizationId}/${sharedWith}`
            );

Which uses the ARN of the account CloudFormation is deploying within. This was accepted by CloudFormation but no longer appears to be.

Instead the ARN of the Organizational Main account seems to be required.

@apmclean apmclean mentioned this issue Jul 25, 2023
Merged
apmclean added a commit that referenced this issue Jul 25, 2023
@apmclean
Fix issue #15 - RAM Sharing to an OU no longer working (#16)
92c0437 
- Resolves bug around RAM Sharing and Principal ARN construction.
- Historically the Ou ARN could be constructed using the 'this' account ID and it would share.  That no longer works.
- Added the `organizationMainAccountId` to the global section
- Added a bypass to use legacy method (this.account) for existing shares that are working `legacyRamShare`.
- Updated test cases.
@apmclean apmclean linked a pull request Jul 25, 2023 that will close this issue
Fix issue #15 - RAM Sharing to an OU no longer working #16
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@apmclean apmclean

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix issue #15 - RAM Sharing to an OU no longer working
1 participant
@apmclean