[ERROR] InvalidChangeBatch: An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: [RRSet with DNS name ........ is not permitted in zone ......]

[emiioan]

Hello tried the code you provided as example but records are not created. Lambda logs:

[ERROR] InvalidChangeBatch: An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: [RRSet with DNS name . is not permitted in zone ...]
Traceback (most recent call last):
  File "/var/task/autoscale.py", line 144, in lambda_handler
    process_record(record)
  File "/var/task/autoscale.py", line 136, in process_record
    process_message(json.loads(record['Sns']['Message']))
  File "/var/task/autoscale.py", line 132, in process_message
    update_record(zone_id, ip, hostname, operation)
  File "/var/task/autoscale.py", line 87, in update_record
    route53.change_resource_record_sets(
  File "/var/runtime/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 676, in _make_api_call
    raise error_class(parsed_response, operation_name)

code:

module "tomcat_asg" {
  for_each = { for k, v in var.tomcat_instances : k => v if var.tomcat_instances[k]["enabled"] == "true" }
  source   = "./terraform-aws-autoscaling"

  name = each.key 
  # Launch configuration
  use_lc               = true
  create_lc            = false
  launch_configuration = aws_launch_configuration.lc_conf[each.key].name
  vpc_zone_identifier = ["${data.terraform_remote_state.basic_network.outputs.basic_network.private_subnets}"]
  health_check_type = "EC2"
  min_size          = var.tomcat_instance_count
  max_size          = var.tomcat_instance_count
  desired_capacity  = var.tomcat_instance_count
  target_group_arns = [aws_lb_target_group.tomcat_tg[each.key].arn]

  initial_lifecycle_hooks = [{
    name                    = "lifecycle-launching"
    default_result          = "CONTINUE"
    heartbeat_timeout       = 60
    lifecycle_transition    = "autoscaling:EC2_INSTANCE_LAUNCHING"
    notification_target_arn = module.autoscale_dns.autoscale_handling_sns_topic_arn
    role_arn                = module.autoscale_dns.agent_lifecycle_iam_role_arn
    },
    {

      name                    = "lifecycle-terminating"
      default_result          = "CONTINUE"
      heartbeat_timeout       = 60
      lifecycle_transition    = "autoscaling:EC2_INSTANCE_TERMINATING"
      notification_target_arn = module.autoscale_dns.autoscale_handling_sns_topic_arn
      role_arn                = module.autoscale_dns.agent_lifecycle_iam_role_arn
    }
  ]
  tags = [
    {
      key                 = "asg:hostname_pattern"
      value               = "${each.key}@${data.terraform_remote_state.R53.outputs.r53_zone_id}" 
      propagate_at_launch = true
    }
  ]
}


module "autoscale_dns" {
  source  = "meltwater/asg-dns-handler/aws"
  version = "2.1.2"

  autoscale_handler_unique_identifier = "tomcat_dns"
  autoscale_route53zone_arn           = data.terraform_remote_state.R53.outputs.r53_zone_id
  vpc_name                            = data.terraform_remote_state.basic_network.outputs.basic_network.name
}

[cmbengels]

I had that error, too. The module mismatches foo.id, foo.name and foo.arn at some places. Check the generated policy, I think you'll find a wrong ARN like arn:aws:route53::: arn:aws:route53:::foo/bar. (When you have fixed that, you'll find the next mistake where the module expects a zone id but the module's description says you need an ARN.
(sorry, I mismatched this with a different error.)

[cmckeen]

Hi @emiioan, it looks like the problem here is that you're not creating a fully qualified domain name inside of the asg:hostname_pattern tag, which is preventing the Route 53 record from being created. Here is an example of how this would work -

resource "aws_autoscaling_group" "asg" {
...
  tag {
    key                 = "asg:hostname_pattern"
    value               = "#instanceid.${var.vpc_name}.asg-testing.internal@${aws_route53_zone.test.id}"
    propagate_at_launch = true
  }
}

resource "aws_route53_zone" "test" {
  name          = "asg-testing.internal"

  vpc {
    vpc_id = data.terraform_remote_state.vpc.outputs.vpc_id
  }
}

It's worth noting as well that #instanceid is interpolated by the lambda function to the instance_id of the AWS instance that is created. I will update the documentation to make this more clear.

[cmckeen]

Additional documentation added in 498537e.

[emiioan]

Hi @cmckeen, thanks a lot for the response, yes indeed it worked after adding the FQDN including the R53 zone name in asg:hostname_pattern value.