Cloudformation-coverage-roadmap: AWS::Route53::VPCAssociationAuthorization

Created on 12 Feb 2020  路  6Comments  路  Source: aws-cloudformation/cloudformation-coverage-roadmap

https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateVPCAssociationAuthorization.html

1. Title

AWS::Route53::VPCAssociationAuthorization

2. Scope of request

New support desired for Route53 methods 'CreateVPCAssociationAuthorization' and 'DeleteVPCAssociationAuthorization'

Currently it is not possible to authorize VPCs to associate with a private hosted zone in native CloudFormation. We are forced to work around this by deploying a Lambda custom resource type, which sucks.

3. Expected behavior

A resource type should exist for Route53::VPCAssociationAuthorization. It should contain the following properties:

  • HostedZoneId
  • VPCId
  • VPCRegion

It might make sense to also add a new property to Route53::HostedZone, to specify a list of VPCs to authorize, e.g.:

Type: AWS::Route53::HostedZone
Properties:
  ...
  VPCAssociationAuthorizations:
    - VPCId: vpc-xxxyyy
      VPCRegion: xx-yyyy-1
    - VPCId: ...
      VPCRegion: ...

4. Suggest specific test cases

A user can successfully authorize a VPC in another account to associate with a private hosted zone, using native CloudFormation.

5. Helpful Links to speed up research and evaluation

https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateVPCAssociationAuthorization.html
https://docs.aws.amazon.com/Route53/latest/APIReference/API_DeleteVPCAssociationAuthorization.html

6. Category (required) - Will help with tagging and be easier to find by other users to +1

  1. Networking & Content (VPC, Route53, API GW,...)
networking & content deliv
Source
picture direvus
👍27

Most helpful comment

Happy birthday #371 馃巶

picture direvus on 11 Feb 2021
🎉3

All 6 comments

This is a very useful feature!

Dougoc picture Dougoc on 30 Jul 2020

definitely would be a good addition, very annoying that only way to do this is via CLI and SDKs presently

jdonboch picture jdonboch on 11 Nov 2020

Happy birthday #371 馃巶

direvus picture direvus on 11 Feb 2021
🎉3

One of the ugliest things about PHZ association is that the PHZ has to exist first. However creating a hosted zone without an associated VPC in CloudFormation creates a public hosted zone which cannot be converted to private. To support this in CloudFormation would require a modification to allow a PHZ to exist without a VPC such that the authorisation can be created to allow the following sequence.

1) Account 1: Create VPC
2) Account 2: Create PHZ (without VPC association)
3) Account 2: Create VPCAssociationAuthorization
4) Account 1: Create VPCAssociation

exidy picture exidy on 22 Mar 2021

Note that until mid-Feb 2021 sharing subnets to a member account using RAM implicitly allowed creation of a PHZ against the associated VPC. This is no longer the case, so having a fully-supported method of creating VPCAssociationAuthorizations has become more critical.

exidy picture exidy on 22 Mar 2021
👍1

Note that until mid-Feb 2021 sharing subnets to a member account using RAM implicitly allowed creation of a PHZ against the associated VPC. This is no longer the case, so having a fully-supported method of creating VPCAssociationAuthorizations has become more critical.

So that's why I was having troubles with that use case now, and a lack of information about the subject!

McDoit picture McDoit on 26 Mar 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

seansummers picture seansummers  路  3Comments
rjpereira picture rjpereira  路  4Comments
kjpgit picture kjpgit  路  4Comments
kdgregory picture kdgregory  路  3Comments
fimbulvetr picture fimbulvetr  路  3Comments