Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Private Hosted Zone Cross-Account Association - CreateVPCAssociationAuthorization and AssociateVPCWithHostedZone #24286

Closed
miketwenty1 opened this issue Mar 4, 2020 · 3 comments
Closed

Feature Request: Private Hosted Zone Cross-Account Association - CreateVPCAssociationAuthorization and AssociateVPCWithHostedZone #24286

miketwenty1 opened this issue Mar 4, 2020 · 3 comments
Labels
enhancement

Comments

@miketwenty1
Copy link

miketwenty1 commented Mar 4, 2020
edited

Hey there,

Terraform doesn't seem to have a good way of authorizing VPC(s) cross account/different account than the one hosting the route53 private zone.

I see route 53 association resource

NOTE: Unless explicit association ordering is required (e.g. a separate cross-account association authorization), usage of this resource is not recommended. Use the vpc configuration blocks available within the aws_route53_zone resource instead.

This is worded in a confusing way. But seems to indicate that you should use this if cross-account association is required.

Running terraform apply from a role/aws provider holding the private hosted zone will result in:
Error: NotAuthorizedException: The VPC: vpc-xxxxxxxx has not authorized to associate with your hosted zone. status code: 401

Running terraform apply from the aws provider holding the VPC will result in:
AccessDenied: User: arn:aws:sts::xxxxxxxxx:assumed-role/role-name/terraform is not authorized to access this resource status code: 403
This makes sense as the role doesn't have permissions to look at another accounts route53 resources without first assuming another role. I'm not sure if it's possible in terraform to do role-inception. Are you able to assume a role while already assuming another role with terraform providers?

References: AWS documentation on API

References

#10208
#12465
hashicorp/terraform-provider-aws#384
@miketwenty1 miketwenty1 changed the title Feature Request: Add support for CreateVPCAssociationAuthorization and AssociateVPCWithHostedZone Feature Request: Private Hosted Zone Cross-Account Association - CreateVPCAssociationAuthorization and AssociateVPCWithHostedZone Mar 4, 2020
@miketwenty1
Copy link
Author

this is currently being tracked here. hashicorp/terraform-provider-aws#384
But I'm not convinced this is actually a provider issue.

@miketwenty1 miketwenty1 reopened this Mar 5, 2020
@miketwenty1 miketwenty1 mentioned this issue Mar 5, 2020
Closed
@miketwenty1
Copy link
Author

Requesting additional resource under a provider for aws seems to be here https://github.com/terraform-providers/terraform-provider-aws/
will continue discussion here:
hashicorp/terraform-provider-aws#384

@ghost
Copy link

ghost commented Apr 5, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 5, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@miketwenty1