search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 56 forks source link

AWS::Route53::VPCAssociationAuthorization #371

Open direvus opened 4 years ago

direvus commented 4 years ago

https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateVPCAssociationAuthorization.html

1. Title

AWS::Route53::VPCAssociationAuthorization

2. Scope of request

New support desired for Route53 methods 'CreateVPCAssociationAuthorization' and 'DeleteVPCAssociationAuthorization'

Currently it is not possible to authorize VPCs to associate with a private hosted zone in native CloudFormation. We are forced to work around this by deploying a Lambda custom resource type, which sucks.

3. Expected behavior

A resource type should exist for Route53::VPCAssociationAuthorization. It should contain the following properties:

It might make sense to also add a new property to Route53::HostedZone, to specify a list of VPCs to authorize, e.g.:

Type: AWS::Route53::HostedZone
Properties:
  ...
  VPCAssociationAuthorizations:
    - VPCId: vpc-xxxyyy
      VPCRegion: xx-yyyy-1
    - VPCId: ...
      VPCRegion: ...

4. Suggest specific test cases

A user can successfully authorize a VPC in another account to associate with a private hosted zone, using native CloudFormation.

5. Helpful Links to speed up research and evaluation

https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateVPCAssociationAuthorization.html https://docs.aws.amazon.com/Route53/latest/APIReference/API_DeleteVPCAssociationAuthorization.html

6. Category (required) - Will help with tagging and be easier to find by other users to +1

  1. Networking & Content (VPC, Route53, API GW,...)
Dougoc commented 4 years ago

This is a very useful feature!

jdonboch commented 3 years ago

definitely would be a good addition, very annoying that only way to do this is via CLI and SDKs presently

direvus commented 3 years ago

Happy birthday #371 🎂

exidy commented 3 years ago

One of the ugliest things about PHZ association is that the PHZ has to exist first. However creating a hosted zone without an associated VPC in CloudFormation creates a public hosted zone which cannot be converted to private. To support this in CloudFormation would require a modification to allow a PHZ to exist without a VPC such that the authorisation can be created to allow the following sequence.

1) Account 1: Create VPC 2) Account 2: Create PHZ (without VPC association) 3) Account 2: Create VPCAssociationAuthorization 4) Account 1: Create VPCAssociation

exidy commented 3 years ago

Note that until mid-Feb 2021 sharing subnets to a member account using RAM implicitly allowed creation of a PHZ against the associated VPC. This is no longer the case, so having a fully-supported method of creating VPCAssociationAuthorizations has become more critical.

McDoit commented 3 years ago

Note that until mid-Feb 2021 sharing subnets to a member account using RAM implicitly allowed creation of a PHZ against the associated VPC. This is no longer the case, so having a fully-supported method of creating VPCAssociationAuthorizations has become more critical.

So that's why I was having troubles with that use case now, and a lack of information about the subject!

evanerwee commented 3 years ago

Is this feature on some Radar ?

abjoerne commented 2 years ago

Any progress on this case?

Note that until mid-Feb 2021 sharing subnets to a member account using RAM implicitly allowed creation of a PHZ against the associated VPC. This is no longer the case, so having a fully-supported method of creating VPCAssociationAuthorizations has become more critical.

This also affected us and broke a lot of pipelines.

wbattou commented 2 years ago

Any news ? I would really like to see this feature implemented.

henning-krause commented 2 years ago

I see that this was moved to "Coming soon". Will the related issue #372 also be implemented? It seems to me that that would be more flexible, because it would allow users to create associations across CloudFormation Stacks. It would also help in situations where the the HostedZone is created implicity (e.g. AWS::ServiceDiscovery::PrivateDnsNamespace).

rene84 commented 1 year ago

This resource provider is implemented here by the community. We're looking to move it to the official community here

cbm-tlasalle commented 1 year ago

+1, very interrested

shendriksen commented 1 year ago

+1

Zirkonium88 commented 8 months ago

+1

oliott commented 7 months ago

This would be a really nice addition for organizations that are working with private DNS. Instead of having to deploy and maintain their own Custom Resource provider for the entire organization.

Talked to an AWS TAM about this issue, that reached out to the responsible team and this is not an issue that is being worked on.

I am unsure why this has been moved to coming soon but it is not coming soon according to that at least. So might be because if this: rene84 comment

Also it looks like the resource provider that rene84 mentioned above has not been moved into the public community registry either.

Since the responsible team is not working with this and the rene84 extension has not seen any development in the last year. I suggest this should be moved to be in researching.

adminy commented 2 months ago

I see that this was moved to "Coming soon". Will the related issue #372 also be implemented? It seems to me that that would be more flexible, because it would allow users to create associations across CloudFormation Stacks. It would also help in situations where the the HostedZone is created implicity (e.g. AWS::ServiceDiscovery::PrivateDnsNamespace).

yeah, it would be nice indeed. Its been long without any update on this.