Skip to content

feat: Add Accept Mode to ResourceShare CRD for cross-account sharing #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rhysxevans wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Add Accept Mode to ResourceShare CRD for cross-account sharing #44

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 81 additions & 2 deletions apis/v1alpha1/resource_share.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

91 changes: 88 additions & 3 deletions config/crd/bases/ram.services.k8s.aws_resourceshares.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,17 +41,50 @@ spec:
ResourceShareSpec defines the desired state of ResourceShare.

Describes a resource share in RAM.

This resource can operate in two modes:
1. Create Mode (default): Creates a new resource share and shares resources with principals
2. Accept Mode: Accepts an incoming resource share invitation from another account

To use Accept Mode, set the acceptInvitation field with the ShareARN of the incoming share.
In Accept Mode, most other fields (name, principals, resourceARNs, etc.) are ignored.
properties:
acceptInvitation:
description: |-
AcceptInvitation configures this resource to accept an incoming share invitation
instead of creating a new share. When set, the controller will:
1. Find the pending invitation for the specified ShareARN
2. Accept the invitation
3. Populate status with invitation details

This is mutually exclusive with creating a new share. When acceptInvitation
is set, fields like name, principals, and resourceARNs are ignored.

Use this when you want to accept a share from another AWS account.
properties:
shareARN:
description: |-
The Amazon Resource Name (ARN) of the resource share to accept.
This should be the ARN of the share that was created by another account.
type: string
required:
- shareARN
type: object
allowExternalPrincipals:
description: |-
Specifies whether principals outside your organization in Organizations can
be associated with a resource share. A value of true lets you share with
individual Amazon Web Services accounts that are not in your organization.
A value of false only has meaning if your account is a member of an Amazon
Web Services Organization. The default value is true.

This field is ignored when acceptInvitation is set.
type: boolean
name:
description: Specifies the name of the resource share.
description: |-
Specifies the name of the resource share.

This field is ignored when acceptInvitation is set.
type: string
permissionARNs:
description: |-
Expand All @@ -60,6 +93,8 @@ spec:
specify an ARN for the permission, RAM automatically attaches the default
version of the permission for each resource type. You can associate only
one permission with each resource type included in the resource share.

This field is ignored when acceptInvitation is set.
items:
type: string
type: array
Expand Down Expand Up @@ -104,20 +139,26 @@ spec:
Not all resource types can be shared with IAM roles and users. For more information,
see Sharing with IAM roles and users (https://docs.aws.amazon.com/ram/latest/userguide/permissions.html#permissions-rbp-supported-resource-types)
in the Resource Access Manager User Guide.

This field is ignored when acceptInvitation is set.
items:
type: string
type: array
resourceARNs:
description: |-
Specifies a list of one or more ARNs of the resources to associate with the
resource share.

This field is ignored when acceptInvitation is set.
items:
type: string
type: array
sources:
description: |-
Specifies from which source accounts the service principal has access to
the resources in this resource share.

This field is ignored when acceptInvitation is set.
items:
type: string
type: array
Expand All @@ -126,6 +167,8 @@ spec:
A list of one or more tag key and value pairs. The tag key must be present
and not be an empty string. The tag value must be present but can be an empty
string.

This field is ignored when acceptInvitation is set.
items:
description: |-
A structure containing a tag. A tag is metadata that you can attach to your
Expand All @@ -143,8 +186,6 @@ spec:
type: string
type: object
type: array
required:
- name
type: object
status:
description: ResourceShareStatus defines the observed state of ResourceShare
Expand Down Expand Up @@ -240,6 +281,23 @@ spec:
but the customer ran the PromoteResourceShareCreatedFromPolicy and that
operation is still in progress. This value changes to STANDARD when complete.
type: string
invitationARN:
description: |-
The ARN of the invitation that was accepted.
Only populated in Accept Mode.
type: string
invitationStatus:
description: |-
The current status of the invitation.
Possible values: PENDING, ACCEPTED, REJECTED, EXPIRED
Only populated in Accept Mode.
type: string
invitationTime:
description: |-
The date and time when the invitation was sent.
Only populated in Accept Mode.
format: date-time
type: string
lastUpdatedTime:
description: The date and time when the resource share was last updated.
format: date-time
Expand All @@ -248,6 +306,33 @@ spec:
description: The ID of the Amazon Web Services account that owns the
resource share.
type: string
receiverAccountID:
description: |-
The ID of the AWS account that received the invitation.
Only populated in Accept Mode.
type: string
resources:
description: |-
The resources included in the resource share.
Only populated in Accept Mode.
items:
type: string
type: array
senderAccountID:
description: |-
The ID of the AWS account that sent the invitation.
Only populated in Accept Mode.
type: string
shareName:
description: |-
The name of the resource share.
Only populated in Accept Mode.
type: string
shareStatus:
description: |-
The current status of the resource share.
Only populated in Accept Mode.
type: string
status:
description: The current status of the resource share.
type: string
Expand Down
93 changes: 93 additions & 0 deletions examples/resource-share-integrated-modes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
---
# Example 1: Create Mode (Default)
# This creates a new resource share in Account A and shares resources with Account B
apiVersion: ram.services.k8s.aws/v1alpha1
kind: ResourceShare
metadata:
name: my-resource-share
namespace: default
spec:
# Create Mode: Specify name and resources to share
name: my-shared-resources
allowExternalPrincipals: true
principals:
- "123456789012" # Account B's AWS account ID
resourceARNs:
- "arn:aws:ec2:us-west-2:111111111111:subnet/subnet-12345678"
- "arn:aws:ec2:us-west-2:111111111111:transit-gateway/tgw-12345678"
tags:
- key: Environment
value: Production
- key: Owner
value: TeamA

---
# Example 2: Accept Mode
# This accepts an incoming resource share invitation in Account B
apiVersion: ram.services.k8s.aws/v1alpha1
kind: ResourceShare
metadata:
name: accepted-share-from-account-a
namespace: default
spec:
# Accept Mode: Specify acceptInvitation with the ShareARN
acceptInvitation:
shareARN: "arn:aws:ram:us-west-2:111111111111:resource-share/12345678-1234-1234-1234-123456789012"

# Note: In Accept Mode, the following fields are ignored:
# - name
# - allowExternalPrincipals
# - principals
# - resourceARNs
# - permissionARNs
# - sources
# - tags

---
# Example 3: Cross-Account Workflow
#
# Step 1: Account A (Sharer) creates a ResourceShare
# Deploy this in Account A's cluster:
apiVersion: ram.services.k8s.aws/v1alpha1
kind: ResourceShare
metadata:
name: saas-provider-share
namespace: default
spec:
name: saas-provider-resources
allowExternalPrincipals: true
principals:
- "999999999999" # Customer's AWS account ID
resourceARNs:
- "arn:aws:ec2:us-west-2:111111111111:subnet/subnet-abcdef12"

---
# Step 2: Account B (Customer) accepts the invitation
# Deploy this in Account B's cluster:
apiVersion: ram.services.k8s.aws/v1alpha1
kind: ResourceShare
metadata:
name: accepted-saas-resources
namespace: default
spec:
acceptInvitation:
shareARN: "arn:aws:ram:us-west-2:111111111111:resource-share/abcdef12-abcd-abcd-abcd-abcdef123456"

---
# Example 4: Checking Status in Accept Mode
# After accepting, the status will include invitation details:
#
# status:
# ackResourceMetadata:
# arn: arn:aws:ram:us-west-2:111111111111:resource-share/abcdef12-abcd-abcd-abcd-abcdef123456
# conditions: [...]
# invitationARN: arn:aws:ram:us-west-2:111111111111:resource-share-invitation/12345678-1234-1234-1234-123456789012
# invitationStatus: ACCEPTED
# senderAccountID: "111111111111"
# receiverAccountID: "999999999999"
# shareName: saas-provider-resources
# invitationTime: "2024-01-15T10:30:00Z"
# resources:
# - "arn:aws:ec2:us-west-2:111111111111:subnet/subnet-abcdef12"
# shareStatus: ACCEPTED

Loading