fix(dns): ignore vpc changes on private_zone for cross-account assoc#398
Merged
Conversation
sebastiancorrea81
approved these changes
Jun 19, 2026
This was referenced Jun 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
aws_route53_zone.private_zoneresource ininfrastructure/aws/dns/main.tfdeclares a single inlinevpc {}block but nolifecycle.ignore_changes. Any VPC association created on the zone outside of this block — for example via a standaloneaws_route53_zone_associationresource in another AWS account (the hub side of a hub-and-spoke setup) — is detected as drift on every refresh, and the nexttofu applycallsDisassociateVPCFromHostedZoneagainst it.For consumers that authorize a hub VPC via
aws_route53_vpc_association_authorizationand let the hub account create the actual association viaaws_route53_zone_association, this produces a perpetual diff in the zone-owning account and a yo-yo of disassociate/reassociate calls between layers — with a brief window of broken cross-account DNS resolution on every cycle.Fix
Add
lifecycle { ignore_changes = [vpc] }to theprivate_zoneresource. The inlinevpc {}block is still required at creation time (AWS rejects a private zone with zero VPC associations), but Tofu no longer tries to reconcile the set of associations on subsequent refreshes. Additional associations are then managed externally viaaws_route53_zone_associationresources (in the same or other accounts).Why this is safe
This is the pattern explicitly documented by the AWS Terraform provider on the
aws_route53_zone_associationreference page:Source: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association
The provider's own example code on that page uses the exact pattern this PR applies.
Impact on existing consumers
vpc {}still controls the initial association, and there are no external associations to ignore.Context
Hit on
accounts/galicia-3/infrastructure/aws/in the Banco Galicia POC, where the canonical account is associated to a central Hub VPC (galicia-hub) viaaws_route53_vpc_association_authorization+aws_route53_zone_association. Without this fix, everytofu planin galicia-3 proposes disassociating the hub VPC fromgalicia-3-poc.nullapps.io, which would break Route53 Resolver lookups from the hub.Test plan
tofu fmt -check -recursiveon the dns module — passes (already verified locally).infrastructure/aws/dns/tests/still pass.galicia-3/infrastructure/aws/no longer proposes the~ vpc {}destroy onaws_route53_zone.private_zoneafter the source ref is bumped to a release containing this change.