Terraform: Setting up a Route53 association with a zone in another account fails

I get:

* aws_route53_zone_association.test2core-mgmt: AccessDenied: User: arn:aws:iam::USER_ID:user/turbo is not authorized to perform: route53:AssociateVPCWithHostedZone on resource: arn:aws:route53:::hostedzone/ZONE_ID
        status code: 403, request id: 5e192c68-041d-11e7-90e6-b364fcf332cb        status code: 403, request id: f2e12a23-041b-11e7-abde-378ae1dd8210
* aws_route53_zone_association.test: NotAuthorizedException: The VPC: vpc-0f747a6b has not authorized to associate with your hosted zone.
        status code: 401, request id: 5e184195-041d-11e7-a7d0-2ddfbb551b5a

The data.terraform_remote_state.{base,core} is in the same account, which I specify with the provider aliased as core (same credentials/profile I'm using to create resources in that account).

Thinking about this somewhat, I'm thinking I need _two_ credentials: 1) to update the Route53 zone with the VPC association and 2) (possibly?) one to tell the VPC about this?

http://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html

Note
If you want to associate a VPC that was created by using one AWS account with a private hosted zone that was created by using a different account, the AWS account that created the private hosted zone must first submit a CreateVPCAssociationAuthorization request. Then the account that created the VPC must submit an AssociateVPCWithHostedZone request.

http://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateVPCAssociationAuthorization.html

Authorizes the AWS account that created a specified VPC to submit an AssociateVPCWithHostedZone request to associate the VPC with a specified hosted zone that was created by a different account. To submit a CreateVPCAssociationAuthorization request, you must use the account that created the hosted zone.

So I guess that if provider is set (and differs from the "default"?), then first issue a CreateVPCAssociationAuthorization with that provider, then issue a AssociateVPCWithHostedZone with the "default" provider.

There seems to be more bugs lurking here.

By issuing a create-vpc-association-authorization using the aws command for all VPC IDs in a loop:

aws --profile local_profile --region eu-west-1 route53 create-vpc-association-authorization --vpc VPCRegion=eu-west-1,VPCId=${vpcid} --hosted-zone-id ${hosted_zone}

I then expected this to succeed:

resource "aws_route53_zone_association" "test" {
  vpc_id        = "${aws_vpc.test.id}" # local VPC
  zone_id       = "${data.terraform_remote_state.base.zone_id_private}" # remote zone
  provider      = "aws.core"
}

resource "aws_route53_zone_association" "test2core-mgmt" {
  vpc_id        = "${data.terraform_remote_state.core.management_vpc_id}" # remote VPC
  zone_id       = "${aws_route53_zone.test-rev.id}" # local zone
}

resource "aws_route53_zone_association" "test2core-support" {
  vpc_id        = "${data.terraform_remote_state.core.support_vpc_id}" # remote VPC
  zone_id       = "${aws_route53_zone.test-rev.id}" # local zone
}

resource "aws_route53_zone_association" "test2core-jenkins" {
  vpc_id        = "${data.terraform_remote_state.core.jenkins_vpc_id}" # remote VPC
  zone_id       = "${aws_route53_zone.test-rev.id}" # local zone
}

resource "aws_route53_zone_association" "test2core-access" {
  vpc_id        = "${data.terraform_remote_state.core.access_vpc_id}" # remote VPC
  zone_id       = "${aws_route53_zone.test-rev.id}" # local zone
}

However, it did not. It failed, I had to set a provider entry for each resource, rerun TF, it failed on fewer and I had to do this several time, adding/removing provider entries and eventually I got it to do the associations.

Looking at https://github.com/hashicorp/terraform/pull/12553/commits/d6869f6180ded7028fe9b02b9dcb4f3251f2e02b, it's a good start I guess.

However, because the CreateVPCAssociationAuthorization needs to be done slightly before (testing with running the aws shell command to do the same before running Terraform show it's a few seconds!!) running AssociateVPCWithHostedZone, there needs to be a dependency between the aws_route53_vpc_association_authorization and aws_route53_zone_association.

A harder one than depends_on.

Duplicate of #10208.

I've created the following module which by no means solves this issue but provides me with an alternative in the meantime, I hope this is fixed in the future, I might even take a look at the go code myself if I have time.
https://github.com/opetch/terraform-aws-cli-resource

Just as a note... when dealing with cross-account aws_route53_zone_association resources:

• To CREATE the association the resource provider needs to point to the owner of the VPC
  After creation terraform will generate the following error:
  aws_route53_zone_association.allowlocal: AccessDenied: User: arn:aws:iam::111111111111111:user/terraform_user is not authorized to access this resource
  status code: 403, request id: REDACTED
• To VERIFY the association the resource provider needs to be switched to the owner of the ZONE
  This should not effect the ability to run create-vpc-association-authorization, which needs to be executed as the owner of the ZONE. Our current process is:

1) manually run create-vpc-association-authorization from the CLI
2) temporarily edit the aws_route53_zone_association resource to swap provider to the VPC owner
3) Run TF. Ignore the error.
4) Undo the provider swap and verify plan is clean

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.