Terraform: Feature Request: Add support for CreateVPCAssociationAuthorization AWS API

Created on 18 Nov 2016  ยท  7Comments  ยท  Source: hashicorp/terraform

Hey there,

Terraform does have route53_zone_association resource, but it works for private zones and VPCs in the same AWS account.
If you want to associate a VPC that you created with one AWS account with a private hosted zone that you created with a different account you had to ask AWS support to create authorisation manually.
Now they added an API for this. It would be great to have this implemented in terraform e.g. new resource.

Thanks in advance!

References

enhancement new-resource provideaws
Source
picture rginev
👍19

Most helpful comment

Will this ever gonna be tackled?

picture kdubmartins on 11 Apr 2019
👍17

All 7 comments

Terraform will also need to be modified on how it detects if a zone is associated. I get errors that I am unable to access the resource (after it takes 30+ seconds to create the association) but when I run a aws cli, I see that it made the association successfully.

bigkraig picture bigkraig on 22 Nov 2016

This would definitely be useful as I've just run into this issue myself.

druidsbane picture druidsbane on 11 Jan 2017
👍11

So the issue right now is there doesn't seem to be a way to check what zones are associated with a VPC without access to the zone. You can verify that the change completed successfully but if the association was ever modified outside of terraform the account that created the association wouldn't be able to detect this.

RyanJarv picture RyanJarv on 10 Mar 2017

I've created the following module which by no means solves this issue but provides me with an alternative in the meantime.
https://github.com/opetch/terraform-aws-cli-resource

opetch picture opetch on 1 Mar 2018
👍1

Just as a note... when dealing with cross-account aws_route53_zone_association resources:
1) To CREATE the association the resource provider needs to point to the owner of the VPC
After creation terraform will generate the following error:

  • aws_route53_zone_association.allowlocal: AccessDenied: User: arn:aws:iam::111111111111111:user/terraform_user is not authorized to access this resource
    status code: 403, request id: REDACTED
    2) To VERIFY the association the resource provider needs to be switched to the owner of the ZONE

This should not effect the ability to run create-vpc-association-authorization, which needs to be executed as the owner of the ZONE. Our current process is:

  • manually run create-vpc-association-authorization from the CLI
  • temporarily edit the aws_route53_zone_association resource to swap provider to the VPC owner
  • Run TF. Ignore the error.
  • Undo the provider swap and verify plan is clean
bevanbennett picture bevanbennett on 13 Dec 2018
👍1

Will this ever gonna be tackled?

kdubmartins picture kdubmartins on 11 Apr 2019
👍17

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 13 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ncraike picture ncraike  ยท  77Comments
dupuy picture dupuy  ยท  61Comments
nevir picture nevir  ยท  82Comments
oillio picture oillio  ยท  78Comments
kforsthoevel picture kforsthoevel  ยท  86Comments