Terraform returns failure even after creating successfully "Associate private hosted zone to another account".

[shahamit2]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

2019/07/23 16:07:58 [INFO] Terraform version: 0.12.3
2019/07/23 16:07:58 [INFO] Go runtime version: go1.12.4

Affected Resource(s)

aws_route53_zone_association

Terraform Configuration Files

# main.tf
resource "aws_route53_zone_association" "secondary" {
  zone_id = "Z2LNDHON684P3W"
  vpc_id  = "vpc-0abf413cd7a3f8b35"
}
# provider.tf
provider "aws" {
  region = "us-west-2"
  allowed_account_ids = ["886513109300"]
  assume_role {
    role_arn = "arn:aws:iam::886513109300:role/TFAdmin"
    session_name = "terraform"
  }
}

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

2019-07-23T15:31:31.607+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: 2019/07/23 15:31:31 [DEBUG] [aws-sdk-go] DEBUG: Request route53/GetChange Details:
2019-07-23T15:31:31.607+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2019-07-23T15:31:31.607+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: GET /2013-04-01/change/C28Q8SFX0QG8WU HTTP/1.1
2019-07-23T15:31:31.607+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: Host: route53.amazonaws.com
2019-07-23T15:31:31.607+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: User-Agent: aws-sdk-go/1.20.21 (go1.12.6; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.4
2019-07-23T15:31:31.607+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: Authorization: AWS4-HMAC-SHA256 Credential=ASIA44YW77QKQYYJTBUJ/20190723/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=692836209eaf916a823a2dcdadf7e2e1eb3ebc3e1f2db3f33b1daf724648414a
2019-07-23T15:31:31.607+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: X-Amz-Date: 20190723T100131Z
2019-07-23T15:31:31.607+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: X-Amz-Security-Token: FQoGZXIvYXdzEHsaDOOhdjWUGGp/GFY5SiLtAV3teIzZ/0BNBIb2LRWBJ36QnnXOiJUu80lIHKImCpHtzbsBJy5ne6VN05NPwvj8THrxv26ox4ZFSzdMsAU9pkK29+V2SsnjJUkKNOufH18Vx4Xqu9bzR/R1DHN5KsyRPuA103ioy/LS3fFH9/6aohr9XceTnAu6IOy/9AUHcw4A5Q3kCCG1yZTxnlSpePxF4oMpbtnqNSd+y9iXJxepS1x5e4PR60OMTkZPg8rKreXAdUoss1nY7J93YPFrBQMjXObtp29cHZuBJhNT4gVNGFumM2zo7R8xXTDwmA8hHSSob0lst/Ht+JzmvIY+ESjntdvpBQ==
2019-07-23T15:31:31.607+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: Accept-Encoding: gzip
2019-07-23T15:31:31.607+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: 
2019-07-23T15:31:31.607+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: 
2019-07-23T15:31:31.607+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: -----------------------------------------------------
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: 2019/07/23 15:31:32 [DEBUG] [aws-sdk-go] DEBUG: Response route53/GetChange Details:
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: ---[ RESPONSE ]--------------------------------------
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: HTTP/1.1 403 Forbidden
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: Connection: close
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: Content-Length: 348
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: Content-Type: text/xml
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: Date: Tue, 23 Jul 2019 10:01:48 GMT
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: X-Amzn-Requestid: 0653335b-bd0c-43c2-80e4-006d06665fe7
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: 
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: 
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: -----------------------------------------------------
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: 2019/07/23 15:31:32 [DEBUG] [aws-sdk-go] <?xml version="1.0"?>
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: <ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>AccessDenied</Code><Message>User: arn:aws:sts::886513109300:assumed-role/TFAdmin/terraform is not authorized to access this resource</Message></Error><RequestId>0653335b-bd0c-43c2-80e4-006d06665fe7</RequestId></ErrorResponse>
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: 2019/07/23 15:31:32 [DEBUG] [aws-sdk-go] DEBUG: Validate Response route53/GetChange failed, attempt 0/25, error AccessDenied: User: arn:aws:sts::886513109300:assumed-role/TFAdmin/terraform is not authorized to access this resource
2019-07-23T15:31:32.731+0530 [DEBUG] plugin.terraform-provider-aws_v2.20.0_x4: 	status code: 403, request id: 0653335b-bd0c-43c2-80e4-006d06665fe7
2019/07/23 15:31:32 [DEBUG] aws_route53_zone_association.secondary: apply errored, but we're indicating that via the Error pointer rather than returning it: AccessDenied: User: arn:aws:sts::886513109300:assumed-role/TFAdmin/terraform is not authorized to access this resource
	status code: 403, request id: 0653335b-bd0c-43c2-80e4-006d06665fe7
2019/07/23 15:31:32 [TRACE] <root>: eval: *terraform.EvalMaybeTainted
2019/07/23 15:31:32 [TRACE] EvalMaybeTainted: aws_route53_zone_association.secondary encountered an error during creation, so it is now marked as tainted
2019/07/23 15:31:32 [TRACE] <root>: eval: *terraform.EvalWriteState
2019/07/23 15:31:32 [TRACE] EvalWriteState: writing current state object for aws_route53_zone_association.secondary
2019/07/23 15:31:32 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: AccessDenied: User: arn:aws:sts::886513109300:assumed-role/TFAdmin/terraform is not authorized to access this resource
	status code: 403, request id: 0653335b-bd0c-43c2-80e4-006d06665fe7
2019/07/23 15:31:32 [ERROR] <root>: eval: *terraform.EvalSequence, err: AccessDenied: User: arn:aws:sts::886513109300:assumed-role/TFAdmin/terraform is not authorized to access this resource
	status code: 403, request id: 0653335b-bd0c-43c2-80e4-006d06665fe7
2019/07/23 15:31:32 [TRACE] [walkApply] Exiting eval tree: aws_route53_zone_association.secondary
2019/07/23 15:31:32 [TRACE] vertex "aws_route53_zone_association.secondary": visit complete

Error: AccessDenied: User: arn:aws:sts::886513109300:assumed-role/TFAdmin/terraform is not authorized to access this resource
	status code: 403, request id: 0653335b-bd0c-43c2-80e4-006d06665fe7

  on main.tf line 9, in resource "aws_route53_zone_association" "secondary":
   9: resource "aws_route53_zone_association" "secondary" {


2019-07-23T15:31:32.753+0530 [DEBUG] plugin: plugin process exited: path=/Users/shaham/temp/route53/.terraform/plugins/darwin_amd64/terraform-provider-aws_v2.20.0_x4 pid=65207
2019-07-23T15:31:32.753+0530 [DEBUG] plugin: plugin exited

Panic Output

Expected Behavior

If it is created then message of "successful" and like "aws cli" should give below type of message instead of failing.

{
    "ChangeInfo": {
        "Id": "/change/CZJH4QWMTPLLF",
        "Status": "PENDING",
        "SubmittedAt": "2019-07-23T10:44:21.206Z",
        "Comment": ""
    }
}

Actual Behavior

Resource "aws_route53_zone_association" is created successfully but Terraform returns below failure message.

Error: AccessDenied: User: arn:aws:sts::886422109205:assumed-role/TFAdmin/terraform is not authorized to access this resource
	status code: 403, request id: ddb83ca8-e87d-453f-aded-f16915c4668a

  on main.tf line 9, in resource "aws_route53_zone_association" "secondary":
   9: resource "aws_route53_zone_association" "secondary" {

Steps to Reproduce

1. terraform apply (with above given main.tf and terraform.tf)

Important Factoids

References

• #0000

[tpoingt]

Any action coming ?

[jpmontez]

Seeing this issue, too. The API 403 errors don't list the resources that are being denied access. Glad to know that it has to do with Route53 access.

[krogon]

Related to aws_route53_vpc_association_authorization feature request resource.
#384

[bflad]

Support for cross-account Route 53 VPC Associations via a new aws_route53_vpc_association_authorization resource and updated aws_route53_zone_association resource handling has been merged and will release with version 3.1.0 of the Terraform AWS Provider, later today. Thanks to @goakley and @RyanJarv for implementation. 👍

[ghost]

This has been released in version 3.1.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!