aws_route53_zone_association is not complete #617
Comments
radeksimko
added
the
service/route53
|
I think this is linked to #384 ? |
|
this bug is really annoying. Do you plan a fix or are there some workarounds ? |
|
Yeah, really need it too ! |
|
Have you looked at the Route 53 resolvers recently released? Using rules and sharing them across accounts using Resource Access Manager? We've moved to that model, meaning this issue is no longer a problem. If you still want to use zone associations you could always use an external code data source and do the association in code using SDK - our previous method. Cheers, |
|
thanks a lot @JoshiiSinfield I will take a look |
|
Np. Take a look at this as an idea.
https://twitter.com/awssecurityinfo/status/1133409532162584577?s=21
|
|
We make use of the Shared Services DNS Resolver setup, as linked above, but still have this error, which is odd, because the actual vpc associations work - TF just errors-out with the error above, which is annoying. Our solution allows individual accounts to manage their own Private Hosted Zone's and we ingest those zones via cross-account association to a Shared Services DNS account - that then further shares them to the entire Org. Because the source PHZ is in a different account then the SS-DNS, we cannot use this native TF resource and are instead using a null_resource. It would be nice if this issue got addressed. |
|
Hi @rschwartz-tpn , If you're using resolvers & sharing rules across the accounts you should be able to remove the need for vpc-associations altogther... |
|
Hi @JoshiiSinfield - I'm not sure if your advice is based on offering a work around to the bug reported here, or if you didn't understand our setup. If you take a look at Step 3 at this link: The solution for sharing PHZs from other accounts, to other accounts, via an intermediary shared services account, requires zone association's. This particular architecture was covered at 2019 re-Invent in a great session I think everyone should see. :) The link to the video at the point where this setup is discussed is below: https://youtu.be/_Z5jAs2gvPA?t=2943 -Rob |
|
Hi @rschwartz-tpn , Apologies, yes I missed your setup of an intermediary account. I was assuming you'd share a rule from each account that points to that PHZ without the need for an intermediary. Thanks for the video link I'll take a look. Josh. |
|
Support for cross-account Route 53 VPC Associations via a new |
|
This has been released in version 3.1.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
This issue was originally opened by @gtmtech as hashicorp/terraform#12804. It was migrated here as part of the provider split. The original body of the issue is below.
Terraform 0.8.7
The aws_route53_zone_association resource is not complete.
It is possible to associate a route53 zone to a VPC not in the same account.
Trying to do so with an aws_route53_zone_association yields the following error:
Details of the endpoints used to do cross account zone association are here:
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html
The text was updated successfully, but these errors were encountered: