You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
NOTE: Unless explicit association ordering is required (e.g. a separate cross-account association authorization), usage of this resource is not recommended. Use the vpc configuration blocks available within the aws_route53_zone resource instead.
This is worded in a confusing way. But seems to indicate that you should use this if cross-account association is required.
Running terraform apply from a role/aws provider holding the private hosted zone will result in: Error: NotAuthorizedException: The VPC: vpc-xxxxxxxx has not authorized to associate with your hosted zone. status code: 401
Running terraform apply from the aws provider holding the VPC will result in: AccessDenied: User: arn:aws:sts::xxxxxxxxx:assumed-role/role-name/terraform is not authorized to access this resource status code: 403
This makes sense as the role doesn't have permissions to look at another accounts route53 resources without first assuming another role. I'm not sure if it's possible in terraform to do role-inception. Are you able to assume a role while already assuming another role with terraform providers?
miketwenty1
changed the title
Feature Request: Add support for CreateVPCAssociationAuthorization and AssociateVPCWithHostedZone
Feature Request: Private Hosted Zone Cross-Account Association - CreateVPCAssociationAuthorization and AssociateVPCWithHostedZone
Mar 4, 2020
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
ghost
locked and limited conversation to collaborators
Apr 5, 2020
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hey there,
Terraform doesn't seem to have a good way of authorizing VPC(s) cross account/different account than the one hosting the route53 private zone.
I see route 53 association resource
This is worded in a confusing way. But seems to indicate that you should use this if cross-account association is required.
Running
terraform apply
from a role/aws provider holding the private hosted zone will result in:Error: NotAuthorizedException: The VPC: vpc-xxxxxxxx has not authorized to associate with your hosted zone. status code: 401
Running
terraform apply
from the aws provider holding the VPC will result in:AccessDenied: User: arn:aws:sts::xxxxxxxxx:assumed-role/role-name/terraform is not authorized to access this resource status code: 403
This makes sense as the role doesn't have permissions to look at another accounts route53 resources without first assuming another role. I'm not sure if it's possible in terraform to do role-inception. Are you able to assume a role while already assuming another role with terraform providers?
References: AWS documentation on API
References
#10208
#12465
hashicorp/terraform-provider-aws#384
The text was updated successfully, but these errors were encountered: