NetworkVpcStack: Custom::GetResourceShare fails with Sandbox IPAM pool, which has no RAM share targets

[khris-zeroeyes]

Describe the bug

I encountered the following error while deploying TSE-SE v1.10.0-a with the IPAM network-config.yaml.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|   timestamp   |                                                                                                                                                                                      message                                                                                                                                                                                      |
|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
...
| 1730554011776 | ze-pi-lza-NetworkVpcStack-430118854390-us-east-1 | 20/62 | 1:26:49 PM | CREATE_IN_PROGRESS   | Custom::GetResourceShare              | ZePiLzaSandboxPoolIpamPoolShare/Resource/Default (ZePiLzaSandboxPoolIpamPoolShare8047CE95) Resource creation Initiated                                                                                                                     |
| 1730554011776 | ze-pi-lza-NetworkVpcStack-430118854390-us-east-1 | 20/62 | 1:26:49 PM | CREATE_FAILED        | Custom::GetResourceShare              | ZePiLzaSandboxPoolIpamPoolShare/Resource/Default (ZePiLzaSandboxPoolIpamPoolShare8047CE95) Received response status [FAILED] from custom resource. Message returned: Error: Resource share ze-pi-lza-sandbox-pool_IpamPoolShare not found  |
| 1730554011776 |     at Rfe (/var/task/index.js:34:3577844)                                                                                                                                                                                                                                                                                                                                        |
| 1730554011776 |     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)                                                                                                                                                                                                                                                                                                 |
| 1730554011776 |     at async Runtime.handler (/var/task/__entrypoint__.js:1:932) (RequestId: d94aa6f7-0d40-4339-840d-4e7ca83cae1e)                                                                                                                                                                                                                                                                |
| 1730554011776 |  new CustomResource (/codebuild/output/src1105/src/s3/00/source/node_modules/aws-cdk-lib/core/lib/custom-resource.js:1:1075)                                                                                                                                                                                                                                                      |
| 1730554011776 |  \_ new Import (/codebuild/output/src1105/src/s3/00/source/packages/@aws-accelerator/constructs/lib/aws-ram/resource-share.ts:185:26)                                                                                                                                                                                                                                             |
| 1730554011776 |  \_ Function.fromLookup (/codebuild/output/src1105/src/s3/00/source/packages/@aws-accelerator/constructs/lib/aws-ram/resource-share.ts:207:12)                                                                                                                                                                                                                                    |
| 1730554011776 |  \_ NetworkVpcStack.getResourceShare (/codebuild/output/src1105/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/network-stacks/network-stack.ts:641:41)                                                                                                                                                                                                         |
| 1730554011776 |  \_ NetworkVpcStack.createIpamPoolMap (/codebuild/output/src1105/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/network-stacks/network-stack.ts:767:25)                                                                                                                                                                                                        |
| 1730554011776 |  \_ NetworkVpcStack.setIpamPoolMap (/codebuild/output/src1105/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/network-stacks/network-stack.ts:789:14)                                                                                                                                                                                                           |
| 1730554011776 |  \_ new NetworkVpcStack (/codebuild/output/src1105/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/network-stacks/network-vpc-stack/network-vpc-stack.ts:62:30)                                                                                                                                                                                                 |
| 1730554011776 |  \_ createNetworkVpcStacks (/codebuild/output/src1105/src/s3/00/source/packages/@aws-accelerator/accelerator/utils/stack-utils.ts:1013:22)                                                                                                                                                                                                                                        |
| 1730554011776 |  \_ createMultiAccountMultiRegionStacks (/codebuild/output/src1105/src/s3/00/source/packages/@aws-accelerator/accelerator/bin/app.ts:191:29)                                                                                                                                                                                                                                      |
| 1730554011776 |  \_ processTicksAndRejections (node:internal/process/task_queues:95:5)                                                                                                                                                                                                                                                                                                            |
| 1730554011776 | ze-pi-lza-NetworkVpcStack-430118854390-us-east-1 | 20/62 | 1:26:49 PM | CREATE_FAILED        | Custom::DeleteDefaultVpc              | DeleteDefaultVpc/Resource/Default (DeleteDefaultVpc4DBAE36C) Resource creation cancelled                                                                                                                                                   |
...
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

My best guess as to the root cause is that this statement should only be executed if the IPAM pool has shareTargets assigned, which the sandbox pool in the TSE-SE reference architecture does not. I cannot speak to any of the implications beyond that.

  private createIpamPoolMap(
    ipamAllocations: IpamAllocationConfig[],
    poolMap: Map<string, string>,
    props: AcceleratorStackProps,
  ) {
    const delegatedAdminAccountId = props.accountsConfig.getAccountId(
      props.networkConfig.centralNetworkServices!.delegatedAdminAccount,
    );
    for (const alloc of ipamAllocations) {
      const ipamPool = props.networkConfig.centralNetworkServices!.ipams?.find(item =>
        item.pools?.find(item => item.name === alloc.ipamPoolName),
      );
      if (ipamPool === undefined) {
        this.logger.error(`Specified Ipam Pool not defined`);
        throw new Error(`Configuration validation failed at runtime.`);
      }
      if (!poolMap.has(alloc.ipamPoolName)) {
        let poolId: string;
        if (delegatedAdminAccountId === cdk.Stack.of(this).account && ipamPool.region === cdk.Stack.of(this).region) {
          poolId = cdk.aws_ssm.StringParameter.valueForStringParameter(
            this,
            this.getSsmPath(SsmResourceType.IPAM_POOL, [alloc.ipamPoolName]),
          );
        } else if (ipamPool.region !== cdk.Stack.of(this).region) {
          poolId = this.getCrossRegionPoolId(delegatedAdminAccountId, alloc.ipamPoolName, ipamPool.region);
        } else {
          poolId = this.getResourceShare(
            `${alloc.ipamPoolName}_IpamPoolShare`,
            'ec2:IpamPool',
            delegatedAdminAccountId,
            this.cloudwatchKey,
          ).resourceShareItemId;
        }
        poolMap.set(alloc.ipamPoolName, poolId);
      }
    }
  }

centralNetworkServices:
 ...
 ipams:
   - name: "{{ AcceleratorPrefix }}-ipam"
     ...
     pools:
       ### Global Ipam Pools ###
       - name: "{{ AcceleratorPrefix }}-sandbox-pool"
         description: "Sandbox networks are isolated to the local sandbox account they are created for, and never connected to other networks in the accelerator, therefore overlapping ranges are by design."
         provisionedCidrs:
           - "{{ sandboxCidr }}"

To Reproduce
Steps to reproduce the behavior.

Use a minimally customized TSE-SE reference architecture configuration, replacing network-config.yaml with network-config.yaml.ipam

Expected behavior
A clear and concise description of what you expected to happen.

Please complete the following information about the solution:

• Version: v1.10.0

To get the version of the solution, you can look at the description of the created AWS CloudFormation stack used to install the LZA (AWSAccelerator-InstallerStack). For example, "(SO0199) Landing Zone Accelerator on AWS. Version 1.5.1.". If the description does not contain the version information, you can look at the Parameters of the stack for the RepositoryBranchName as that should contain the version number.

• Region: us-east-1
• Was the solution modified from the version published on this repository? yes, it's a slight variant of the TSE-SE reference architecture
• If the answer to the previous question was yes, are the changes available on GitHub? no
• Have you checked your service quotas for the services this solution uses? yes
• Were there any errors in the CloudWatch Logs? yes, I've attached the relevant snippet

Screenshots
If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context
Add any other context about the problem here.