Manage AWS Network Manager Attachment Accepters

The aws:networkmanager/attachmentAccepter:AttachmentAccepter resource, part of the Pulumi AWS provider, accepts cross-account attachment requests to AWS Network Manager core networks. This guide focuses on three acceptance scenarios: VPC attachments, Site-to-Site VPN attachments, and Direct Connect Gateway attachments.

The accepter runs in the core network owner account and references attachment resources that must already exist in pending state. The examples are intentionally small. Combine them with your own core network policies and attachment creation workflows.

Accept VPC attachments to core networks

When a VPC in one account needs to connect to a core network owned by another account, the core network owner must explicitly accept the attachment request.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.networkmanager.AttachmentAccepter("example", {
    attachmentId: exampleAwsNetworkmanagerVpcAttachment.id,
    attachmentType: exampleAwsNetworkmanagerVpcAttachment.attachmentType,
});

import pulumi
import pulumi_aws as aws

example = aws.networkmanager.AttachmentAccepter("example",
    attachment_id=example_aws_networkmanager_vpc_attachment["id"],
    attachment_type=example_aws_networkmanager_vpc_attachment["attachmentType"])

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := networkmanager.NewAttachmentAccepter(ctx, "example", &networkmanager.AttachmentAccepterArgs{
			AttachmentId:   pulumi.Any(exampleAwsNetworkmanagerVpcAttachment.Id),
			AttachmentType: pulumi.Any(exampleAwsNetworkmanagerVpcAttachment.AttachmentType),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.NetworkManager.AttachmentAccepter("example", new()
    {
        AttachmentId = exampleAwsNetworkmanagerVpcAttachment.Id,
        AttachmentType = exampleAwsNetworkmanagerVpcAttachment.AttachmentType,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.AttachmentAccepter;
import com.pulumi.aws.networkmanager.AttachmentAccepterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AttachmentAccepter("example", AttachmentAccepterArgs.builder()
            .attachmentId(exampleAwsNetworkmanagerVpcAttachment.id())
            .attachmentType(exampleAwsNetworkmanagerVpcAttachment.attachmentType())
            .build());

    }
}

resources:
  example:
    type: aws:networkmanager:AttachmentAccepter
    properties:
      attachmentId: ${exampleAwsNetworkmanagerVpcAttachment.id}
      attachmentType: ${exampleAwsNetworkmanagerVpcAttachment.attachmentType}

The attachmentId references the pending VPC attachment, and attachmentType specifies “VPC” to indicate the resource type being accepted. Once accepted, the VPC can route traffic through the core network according to the network’s policy rules.

Accept Site-to-Site VPN attachments

Site-to-Site VPN connections can attach to core networks for hybrid connectivity, requiring acceptance when created across account boundaries.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.networkmanager.AttachmentAccepter("example", {
    attachmentId: exampleAwsNetworkmanagerSiteToSiteVpnAttachment.id,
    attachmentType: exampleAwsNetworkmanagerSiteToSiteVpnAttachment.attachmentType,
});

import pulumi
import pulumi_aws as aws

example = aws.networkmanager.AttachmentAccepter("example",
    attachment_id=example_aws_networkmanager_site_to_site_vpn_attachment["id"],
    attachment_type=example_aws_networkmanager_site_to_site_vpn_attachment["attachmentType"])

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := networkmanager.NewAttachmentAccepter(ctx, "example", &networkmanager.AttachmentAccepterArgs{
			AttachmentId:   pulumi.Any(exampleAwsNetworkmanagerSiteToSiteVpnAttachment.Id),
			AttachmentType: pulumi.Any(exampleAwsNetworkmanagerSiteToSiteVpnAttachment.AttachmentType),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.NetworkManager.AttachmentAccepter("example", new()
    {
        AttachmentId = exampleAwsNetworkmanagerSiteToSiteVpnAttachment.Id,
        AttachmentType = exampleAwsNetworkmanagerSiteToSiteVpnAttachment.AttachmentType,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.AttachmentAccepter;
import com.pulumi.aws.networkmanager.AttachmentAccepterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AttachmentAccepter("example", AttachmentAccepterArgs.builder()
            .attachmentId(exampleAwsNetworkmanagerSiteToSiteVpnAttachment.id())
            .attachmentType(exampleAwsNetworkmanagerSiteToSiteVpnAttachment.attachmentType())
            .build());

    }
}

resources:
  example:
    type: aws:networkmanager:AttachmentAccepter
    properties:
      attachmentId: ${exampleAwsNetworkmanagerSiteToSiteVpnAttachment.id}
      attachmentType: ${exampleAwsNetworkmanagerSiteToSiteVpnAttachment.attachmentType}

The attachmentType “SITE_TO_SITE_VPN” identifies this as a VPN attachment. After acceptance, the VPN connection can exchange routes with the core network, enabling on-premises resources to communicate with cloud workloads.

Accept Direct Connect Gateway attachments

Direct Connect gateways provide dedicated network connections to AWS and can attach to core networks for private, high-bandwidth connectivity.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.networkmanager.AttachmentAccepter("example", {
    attachmentId: exampleAwsNetworkmanagerDxGatewayAttachment.id,
    attachmentType: exampleAwsNetworkmanagerDxGatewayAttachment.attachmentType,
});

import pulumi
import pulumi_aws as aws

example = aws.networkmanager.AttachmentAccepter("example",
    attachment_id=example_aws_networkmanager_dx_gateway_attachment["id"],
    attachment_type=example_aws_networkmanager_dx_gateway_attachment["attachmentType"])

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := networkmanager.NewAttachmentAccepter(ctx, "example", &networkmanager.AttachmentAccepterArgs{
			AttachmentId:   pulumi.Any(exampleAwsNetworkmanagerDxGatewayAttachment.Id),
			AttachmentType: pulumi.Any(exampleAwsNetworkmanagerDxGatewayAttachment.AttachmentType),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.NetworkManager.AttachmentAccepter("example", new()
    {
        AttachmentId = exampleAwsNetworkmanagerDxGatewayAttachment.Id,
        AttachmentType = exampleAwsNetworkmanagerDxGatewayAttachment.AttachmentType,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.AttachmentAccepter;
import com.pulumi.aws.networkmanager.AttachmentAccepterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AttachmentAccepter("example", AttachmentAccepterArgs.builder()
            .attachmentId(exampleAwsNetworkmanagerDxGatewayAttachment.id())
            .attachmentType(exampleAwsNetworkmanagerDxGatewayAttachment.attachmentType())
            .build());

    }
}

resources:
  example:
    type: aws:networkmanager:AttachmentAccepter
    properties:
      attachmentId: ${exampleAwsNetworkmanagerDxGatewayAttachment.id}
      attachmentType: ${exampleAwsNetworkmanagerDxGatewayAttachment.attachmentType}

The attachmentType “DIRECT_CONNECT_GATEWAY” identifies this as a Direct Connect attachment. Direct Connect attachments return edgeLocations (plural) rather than edgeLocation, reflecting that Direct Connect gateways can span multiple edge locations.

Beyond these examples

These snippets focus on specific attachment acceptance features: cross-account attachment acceptance and multiple attachment types (VPC, VPN, Direct Connect). They’re intentionally minimal rather than full network topology configurations.

The examples rely on pre-existing infrastructure such as Network Manager core networks, attachment resources in pending state, and VPCs, VPN connections, or Direct Connect gateways. They focus on accepting attachments rather than creating the underlying network resources.

To keep things focused, common attachment patterns are omitted, including:

  • Attachment creation (handled by separate attachment resources)
  • Core network policy configuration
  • Attachment rejection workflows
  • State monitoring and lifecycle management

These omissions are intentional: the goal is to illustrate how attachment acceptance is wired, not provide drop-in network modules. See the AttachmentAccepter resource reference for all available configuration options.

Let's manage AWS Network Manager Attachment Accepters

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Purpose & Cross-Account
What's the AttachmentAccepter resource used for?
It accepts cross-account attachments in AWS Network Manager. Use this when an attachment is created in one account and needs to be accepted by another account that owns the core network.
Attachment Types & Configuration
What attachment types can I accept?
You can accept five types: VPC, SITE_TO_SITE_VPN, CONNECT, TRANSIT_GATEWAY_ROUTE_TABLE, and DIRECT_CONNECT_GATEWAY.
How do I accept an attachment?
Provide the attachmentId and attachmentType from the attachment resource you want to accept. The pattern is the same for all attachment types.
Immutability & Limitations
Can I modify attachment properties after creation?
No, both attachmentId and attachmentType are immutable. Changing either property requires replacing the resource.
Why do I see edgeLocation for some attachments and edgeLocations for others?
Direct Connect gateway attachments return edgeLocations (array), while all other attachment types return edgeLocation (string). Use the appropriate property based on your attachment type.

Using a different cloud?

Explore networking guides for other cloud providers:

Azure Guides GCP Guides