RAM resource sharing between accounts fails

[2stacks]

When sharing TGW between two accounts in AWS GovCloud, terraform apply has to be executed multiple times before resource sharing is created successfully.

Versions

terraform = v0.13.5
aws provider = v3.2.0
transit-gateway module = 1.3.0

Module settings

Account A

create_tgw = true 
share_tgw = true
ram_allow_external_principals = true
ram_principals = [<account_b>]

Account B

create_tgw = false 
share_tgw = true

First terraform apply shows the following in the output;

module.usgce_tgw.aws_ram_resource_share.this[0]: Creation complete after 1s [id=arn:aws-us-gov:ram:us-gov-east-1:<acct_id>:resource-share/<id>]
module.usgce_tgw_poclab_peer.aws_ram_resource_share_accepter.this[0]: Creating...
module.usgce_tgw.aws_ram_principal_association.this[0]: Creation complete after 1s [id=arn:aws-us-gov:ram:us-gov-east-1:<account_id>:resource-share/<id>]
module.usgce_tgw.aws_ram_resource_association.this[0]: Creation complete after 2s [id=arn:aws-us-gov:ram:us-gov-east-1:<account_id>:resource-share/<id>,arn:aws-us-gov:ec2:us-gov-east-1:<account_id>:transit-gateway/tgw-<id>]

But the apply fails with the following error;

Error: No RAM Resource Share (arn:aws-us-gov:ram:us-gov-east-1:<account_id>:resource-share/<id>) invitation found

Running terraform plan again shows that the resource still needs to be created;

# module.usgce_tgw_poclab_peer.aws_ram_resource_share_accepter.this[0] will be created

Running terraform apply again successfully accepts the pending resources share in the second account but the apply fails with the following error;

Error: error retrieving resource shares: UnknownResourceException: ResourceShare arn:aws-us-gov:ram:us-gov-east-1:<account_id>:resource-share/<id> could not be found.

After running terraform apply two more times the existing share/invitation is deleted and accepted successfully.
First run;

Error: No RAM Resource Share (arn:aws-us-gov:ram:us-gov-east-1:<account_id>:resource-share/<id>) invitation found

Second run;

module.usgce_tgw_poclab_peer.aws_ram_resource_share_accepter.this[0]: Creating...
module.usgce_tgw_poclab_peer.aws_ram_resource_share_accepter.this[0]: Creation complete after 2s [id=arn:aws-us-gov:ram:us-gov-east-1:<account_id>:resource-share/<id>]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

[2stacks]

Possible solution found here - https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep#triggers-usage Will test and report back.

[2stacks]

I was able to delay the creation of the aws_ram_resource_share_accepter resource by adding this to the second accounts' transit-gateway module config. I assumed that the resource share wouldn't complete without this arn.

depends_on = [module.account_a_tgw.this_ec2_transit_gateway_arn]

[tfhartmann]

@2stacks thanks! I'm going to close this issue.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.