DEV Community

Cover image for Cross-Account VPC Associations with Route53 Private Hosted Zone and Addressing Terraform State Update Issue
AWS Community Builders profile image Md Shamim
Md Shamim for AWS Community Builders

Posted on

Cross-Account VPC Associations with Route53 Private Hosted Zone and Addressing Terraform State Update Issue

#aws #terraform #route53 #cloudcomputing

Background:

Let assume, we have a private hosted zone in Account A and a VPC associated with it from the same account. Now, we need to associate another VPC from Account B (which is a Cross-Account) to the private hosted zone residing in Account A.

However, this cannot be done via the AWS console. To accomplish this requirement, we'll need to use the programmatic approach. In this tutorial, we will be using AWS CLI to perform the necessary operations.

Route53 Private Hosted Zone Cross Account VPC Association

The following commands need to be run on Account A:
Account A needs to create a VPC association authorization to authorize the association of a VPC from Account B.

  • Create vpc association authorization: 
aws route53 create-vpc-association-authorization \
    --hosted-zone-id <hosted-zone-id> \
    --vpc VPCRegion=<region>,VPCId=<vpc-id> \
    --region <your-region>
Enter fullscreen mode Exit fullscreen mode
  • Check if VPC is authorized: 
aws route53 list-vpc-association-authorizations \
    --hosted-zone-id Z03168043HMQYLM46KQBL
Enter fullscreen mode Exit fullscreen mode
  • Expected Outcome: 
{
    "VPCs": [
        {
            "VPCRegion": "region",
            "VPCId": "< target-vpc-id >"
        }
    ],
    "HostedZoneId": "< hosted-zone-id >"
}
Enter fullscreen mode Exit fullscreen mode

The following commands need to be run on Account B:

  • Account B needs to associate-vpc-with-hosted-zone using the following command: 
aws route53 associate-vpc-with-hosted-zone \
    --hosted-zone-id <hosted-zone-id> \
    --vpc VPCRegion=<region>,VPCId=<vpc-id> \
    --region <your-region>
Enter fullscreen mode Exit fullscreen mode

Now, from the console, we can verify the associated VPC:

Route53 Private Hosted Zone Cross Account VPC Association

Addressing Terraform State Update Challenges

After associating cross-account VPC with a private hosted zone using CLI. In terraform, we might see terraform will delete the cross-account VPC from the hosted zone:

  # aws_route53_zone.private will be updated in-place
  ~ resource "aws_route53_zone" "private" {
        id                  = "Z03168043HMQYLAGDGAL"
        name                = "example.com"
        tags                = {}
        # (7 unchanged attributes hidden)

      - vpc {
          - vpc_id     = "vpc-072877fb4e12c2427" -> null
          - vpc_region = "us-east-1" -> null
        }

        # (1 unchanged block hidden)
    }
Enter fullscreen mode Exit fullscreen mode

To resolve this issue we can use the lifecycle block inside the aws_route53_zone resource code:

resource "aws_route53_zone" "private" {
  name = "example.com"

  vpc {
    vpc_id = "vpc-0f76856d99df4csbf"
  }
  # Like this 
  lifecycle {
    ignore_changes = [vpc]
  }
}
Enter fullscreen mode Exit fullscreen mode

That's all for now. Please let me know your feedback and if you have any questions.

Thanks!!
Md Shamim

Top comments (0)

Read next

niek_dewit_6d1cfcfeaff6a profile image

Creating Truly Custom UI Components for AWS Cognito – Amplify in React Native

Niek de Wit -

keploy profile image

Shadow Testing: A Comprehensive Guide for Ensuring Software Quality

keploy -

hammad_khan_efaf55b5cc7b7 profile image

Mastering AWS Cloud Computing: A Comprehensive Guide to Getting Started and Scaling Your Solutions

Hammad Khan -

verifacrew profile image

How to secure Terraform code with Trivy

Verifa crew -