I want to grant access to my Redshift Serverless workgroup so other specified accounts to create Redshift-managed VPC endpoints.
In the workgroup view in the console, it looks like it is an attribute on the workgroup. However, it is not a member of that Terraform resource.
Though it looks like a workgroup setting in the console, inspecting the network request while updating “Granted accounts” shows that like most access in AWS, it's controlled with an IAM policy.
What you need to set this via Terraform is an aws_redshiftserverless_resource_policy with the resource_arn set to your workgroup arn, and the policy statement should look like:
{
"Principal": {
"AWS": ["123456789012", "987654321098"]
},
"Action" [
"redshift-serverless:CreateEndpointAccess",
"redshift-serverless:UpdateEndpointAccess",
"redshift-serverless:DeleteEndpointAccess",
"redshift-serverless:GetEndpointAccess"
],
"Condition": {
"ArnLike": {
"redshift-serverless:AuthorizedVpc": [ "arn:aws:ec2:<REGION>:<ACCOUNT_ID>:vpc/<VPC_ID_OR_*>" ]
}
}
}
*** Disclaimer: this is how I observed the policy being set via the console. Like everything on SO, you should vet this before using it yourself :)