[Enhancement]: Provide "decentralized" way of adding resources to a AWS Shield protection group

[ankon]

Description

We're using AWS Shield, and would like to add specific resources to a protection group. Our workspaces are divided by region, and a "global" workspace that provides common resources and configuration. The regional workspace consume outputs from the "global" one. The regional workspaces are identical, and handle "essentially" the same traffic (think webservers/edge CDNs).

A protection group would naturally be a global thing, and we could define it there without any members. However, we don't know the potential members in that global workspace, and there is no way to add them one-by-one in the regional workspaces.

We would like to propose a (pseudo?) resource aws_shield_protection_group_member, which takes as input a reference to the protection group (which our global workspace would be able to export), and a member ARN to update the group by adding this member.

An alternative we considered was to use the aws_lbs datasource to determine the members on the global level, but that would require some additional cross-region configuration (one "aws" provider per region?). This might be feasible, but would feel less clean and introduce a lot of duplication as well as require the global workspace to know all regions.

Affected Resource(s) and/or Data Source(s)

• aws_shield_protection_group

Potential Terraform Configuration

# Global
resource "aws_shield_protection_group" "group" {
  protection_group_id = "TheGroup"

  aggregation         = "MAX"
  pattern             = "ARBITRARY"
  members             = [ /* Initially empty */ ]
}

output "group_arn" {
  value = aws_shield_protection_group.group.arn
}

# Regional
data "terraform_remote_state" "global" {
  backend = "remote"

  config = {
    organization = "XXX"

    workspaces = {
      name = "global"
    }
  }
}

resource "aws_lb" "alb" {
  # ...
}

resource "aws_shield_protection_group_member" {
  protection_group_id = data.terraform_remote_state.global.outputs.group_arn

  member_arn = aws_lb.alb.arn
}

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.