Manage AWS Network Manager Attachment Accepters

The aws:networkmanager/attachmentAccepter:AttachmentAccepter resource, part of the Pulumi AWS provider, accepts cross-account attachment requests to AWS Network Manager core networks. This guide focuses on three acceptance scenarios: VPC attachments, Site-to-Site VPN attachments, and Direct Connect Gateway attachments.

The accepter runs in the core network owner account and references attachment resources that must already exist in pending state. The examples are intentionally small. Combine them with your own core network policies and attachment creation workflows.

Accept VPC attachments to core networks

When a VPC in one account needs to connect to a core network owned by another account, the core network owner must explicitly accept the attachment request.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.networkmanager.AttachmentAccepter("example", {
    attachmentId: exampleAwsNetworkmanagerVpcAttachment.id,
    attachmentType: exampleAwsNetworkmanagerVpcAttachment.attachmentType,
});

import pulumi
import pulumi_aws as aws

example = aws.networkmanager.AttachmentAccepter("example",
    attachment_id=example_aws_networkmanager_vpc_attachment["id"],
    attachment_type=example_aws_networkmanager_vpc_attachment["attachmentType"])

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := networkmanager.NewAttachmentAccepter(ctx, "example", &networkmanager.AttachmentAccepterArgs{
			AttachmentId:   pulumi.Any(exampleAwsNetworkmanagerVpcAttachment.Id),
			AttachmentType: pulumi.Any(exampleAwsNetworkmanagerVpcAttachment.AttachmentType),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.NetworkManager.AttachmentAccepter("example", new()
    {
        AttachmentId = exampleAwsNetworkmanagerVpcAttachment.Id,
        AttachmentType = exampleAwsNetworkmanagerVpcAttachment.AttachmentType,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.AttachmentAccepter;
import com.pulumi.aws.networkmanager.AttachmentAccepterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AttachmentAccepter("example", AttachmentAccepterArgs.builder()
            .attachmentId(exampleAwsNetworkmanagerVpcAttachment.id())
            .attachmentType(exampleAwsNetworkmanagerVpcAttachment.attachmentType())
            .build());

    }
}

resources:
  example:
    type: aws:networkmanager:AttachmentAccepter
    properties:
      attachmentId: ${exampleAwsNetworkmanagerVpcAttachment.id}
      attachmentType: ${exampleAwsNetworkmanagerVpcAttachment.attachmentType}

The attachmentId references the pending VPC attachment, and attachmentType specifies “VPC” to indicate the resource type being accepted. Once accepted, the VPC can route traffic through the core network according to the network’s policy rules.

Accept Site-to-Site VPN attachments

Site-to-Site VPN connections can attach to core networks for hybrid connectivity, requiring acceptance when created across account boundaries.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.networkmanager.AttachmentAccepter("example", {
    attachmentId: exampleAwsNetworkmanagerSiteToSiteVpnAttachment.id,
    attachmentType: exampleAwsNetworkmanagerSiteToSiteVpnAttachment.attachmentType,
});

import pulumi
import pulumi_aws as aws

example = aws.networkmanager.AttachmentAccepter("example",
    attachment_id=example_aws_networkmanager_site_to_site_vpn_attachment["id"],
    attachment_type=example_aws_networkmanager_site_to_site_vpn_attachment["attachmentType"])

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := networkmanager.NewAttachmentAccepter(ctx, "example", &networkmanager.AttachmentAccepterArgs{
			AttachmentId:   pulumi.Any(exampleAwsNetworkmanagerSiteToSiteVpnAttachment.Id),
			AttachmentType: pulumi.Any(exampleAwsNetworkmanagerSiteToSiteVpnAttachment.AttachmentType),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.NetworkManager.AttachmentAccepter("example", new()
    {
        AttachmentId = exampleAwsNetworkmanagerSiteToSiteVpnAttachment.Id,
        AttachmentType = exampleAwsNetworkmanagerSiteToSiteVpnAttachment.AttachmentType,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.AttachmentAccepter;
import com.pulumi.aws.networkmanager.AttachmentAccepterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AttachmentAccepter("example", AttachmentAccepterArgs.builder()
            .attachmentId(exampleAwsNetworkmanagerSiteToSiteVpnAttachment.id())
            .attachmentType(exampleAwsNetworkmanagerSiteToSiteVpnAttachment.attachmentType())
            .build());

    }
}

resources:
  example:
    type: aws:networkmanager:AttachmentAccepter
    properties:
      attachmentId: ${exampleAwsNetworkmanagerSiteToSiteVpnAttachment.id}
      attachmentType: ${exampleAwsNetworkmanagerSiteToSiteVpnAttachment.attachmentType}

The attachmentType “SITE_TO_SITE_VPN” identifies this as a VPN attachment. After acceptance, the VPN connection can exchange routes with the core network, enabling on-premises resources to communicate with cloud workloads.

Accept Direct Connect Gateway attachments

Direct Connect gateways provide dedicated network connections to AWS and can attach to core networks for private, high-bandwidth connectivity.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.networkmanager.AttachmentAccepter("example", {
    attachmentId: exampleAwsNetworkmanagerDxGatewayAttachment.id,
    attachmentType: exampleAwsNetworkmanagerDxGatewayAttachment.attachmentType,
});

import pulumi
import pulumi_aws as aws

example = aws.networkmanager.AttachmentAccepter("example",
    attachment_id=example_aws_networkmanager_dx_gateway_attachment["id"],
    attachment_type=example_aws_networkmanager_dx_gateway_attachment["attachmentType"])

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := networkmanager.NewAttachmentAccepter(ctx, "example", &networkmanager.AttachmentAccepterArgs{
			AttachmentId:   pulumi.Any(exampleAwsNetworkmanagerDxGatewayAttachment.Id),
			AttachmentType: pulumi.Any(exampleAwsNetworkmanagerDxGatewayAttachment.AttachmentType),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.NetworkManager.AttachmentAccepter("example", new()
    {
        AttachmentId = exampleAwsNetworkmanagerDxGatewayAttachment.Id,
        AttachmentType = exampleAwsNetworkmanagerDxGatewayAttachment.AttachmentType,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkmanager.AttachmentAccepter;
import com.pulumi.aws.networkmanager.AttachmentAccepterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AttachmentAccepter("example", AttachmentAccepterArgs.builder()
            .attachmentId(exampleAwsNetworkmanagerDxGatewayAttachment.id())
            .attachmentType(exampleAwsNetworkmanagerDxGatewayAttachment.attachmentType())
            .build());

    }
}

resources:
  example:
    type: aws:networkmanager:AttachmentAccepter
    properties:
      attachmentId: ${exampleAwsNetworkmanagerDxGatewayAttachment.id}
      attachmentType: ${exampleAwsNetworkmanagerDxGatewayAttachment.attachmentType}

The attachmentType “DIRECT_CONNECT_GATEWAY” identifies this as a Direct Connect attachment. Direct Connect attachments return edgeLocations (plural) rather than edgeLocation, reflecting that Direct Connect gateways can span multiple edge locations.

Beyond these examples

These snippets focus on specific attachment acceptance features: cross-account attachment acceptance and multiple attachment types (VPC, VPN, Direct Connect). They’re intentionally minimal rather than full network topology configurations.

The examples rely on pre-existing infrastructure such as Network Manager core networks, attachment resources in pending state, and VPCs, VPN connections, or Direct Connect gateways. They focus on accepting attachments rather than creating the underlying network resources.

To keep things focused, common attachment patterns are omitted, including:

  • Attachment creation (handled by separate attachment resources)
  • Core network policy configuration
  • Attachment rejection workflows
  • State monitoring and lifecycle management

These omissions are intentional: the goal is to illustrate how attachment acceptance is wired, not provide drop-in network modules. See the AttachmentAccepter resource reference for all available configuration options.

Let's manage AWS Network Manager Attachment Accepters

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Cross-Account Workflow
What's the purpose of the AttachmentAccepter resource?
This resource accepts cross-account attachments in AWS Network Manager. Use it when an attachment is created in one account and needs to be accepted by another account that owns the core network.
When do I need to use AttachmentAccepter instead of creating an attachment directly?
Use AttachmentAccepter when you own the core network and need to accept an attachment created by another AWS account. The attachment creator uses resources like VpcAttachment or SiteToSiteVpnAttachment, while you use AttachmentAccepter to approve it.
Attachment Types & Configuration
What attachment types can I accept?
You can accept five attachment types: CONNECT, DIRECT_CONNECT_GATEWAY, SITE_TO_SITE_VPN, TRANSIT_GATEWAY_ROUTE_TABLE, and VPC.
How do I accept different types of attachments?

All attachment types follow the same pattern—provide the attachmentId and attachmentType from the source attachment:

  • VPC: Reference VpcAttachment.id and VpcAttachment.attachmentType
  • Site-to-Site VPN: Reference SiteToSiteVpnAttachment.id and SiteToSiteVpnAttachment.attachmentType
  • Connect: Reference ConnectAttachment.id and ConnectAttachment.attachmentType
  • Transit Gateway Route Table: Reference TransitGatewayRouteTableAttachment.id and TransitGatewayRouteTableAttachment.attachmentType
  • Direct Connect Gateway: Reference DxGatewayAttachment.id and DxGatewayAttachment.attachmentType
Properties & Behavior
Why do I see edgeLocation for some attachments and edgeLocations for others?
Direct Connect gateway attachments return edgeLocations (array) because they can be associated with multiple edge locations. All other attachment types return edgeLocation (string) for a single region.
Can I change the attachmentId or attachmentType after accepting an attachment?
No, both attachmentId and attachmentType are immutable. Changing either requires replacing the resource.

Using a different cloud?

Explore networking guides for other cloud providers:

Azure Guides GCP Guides