Feature Request: Add support for CreateVPCAssociationAuthorization AWS API

[rginev]

Hey there,

Terraform does have route53_zone_association resource, but it works for private zones and VPCs in the same AWS account.
If you want to associate a VPC that you created with one AWS account with a private hosted zone that you created with a different account you had to ask AWS support to create authorisation manually.
Now they added an API for this. It would be great to have this implemented in terraform e.g. new resource.

Thanks in advance!

References

• Associating an Amazon VPC and a Private Hosted Zone That You Created with Different AWS Accounts

[bigkraig]

Terraform will also need to be modified on how it detects if a zone is associated. I get errors that I am unable to access the resource (after it takes 30+ seconds to create the association) but when I run a aws cli, I see that it made the association successfully.

[druidsbane]

This would definitely be useful as I've just run into this issue myself.

[RyanJarv]

So the issue right now is there doesn't seem to be a way to check what zones are associated with a VPC without access to the zone. You can verify that the change completed successfully but if the association was ever modified outside of terraform the account that created the association wouldn't be able to detect this.

[opetch]

I've created the following module which by no means solves this issue but provides me with an alternative in the meantime.
https://github.com/opetch/terraform-aws-cli-resource

[bevanbennett]

Just as a note... when dealing with cross-account aws_route53_zone_association resources:

1. To CREATE the association the resource provider needs to point to the owner of the VPC
   After creation terraform will generate the following error:

• aws_route53_zone_association.allowlocal: AccessDenied: User: arn:aws:iam::111111111111111:user/terraform_user is not authorized to access this resource
  status code: 403, request id: REDACTED

2. To VERIFY the association the resource provider needs to be switched to the owner of the ZONE

This should not effect the ability to run create-vpc-association-authorization, which needs to be executed as the owner of the ZONE. Our current process is:

• manually run create-vpc-association-authorization from the CLI
• temporarily edit the aws_route53_zone_association resource to swap provider to the VPC owner
• Run TF. Ignore the error.
• Undo the provider swap and verify plan is clean

[emulanob]

Will this ever gonna be tackled?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.