search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.79k stars 9.14k forks source link

aws_route53_vpc_association_authorization - is this working as intended? #18176

Closed kennyche closed 9 months ago

kennyche commented 3 years ago

Terraform version: terraform_0.13.0 terraform_0.12.1

Issue: Following the documentation example works fine. However, i think this moves away from the actual real world example of a cross account vpc that has not been created by the terraform plan initiating the authorization. If you try and associate a vpc created outside the authorizing account, I still get a 401 saying that the authorizing account does not have rights to associate the vpc from the other aws account to the authorizing accounts private zone, even though the authorization resource has been created. 


aws_route53_vpc_association_authorization.primary: Creating...
aws_route53_vpc_association_authorization.primary: Creation complete after 2s [id=ZXYZREDACTED:vpc-001THATACCOUNT]
aws_route53_zone_association.primary: Creating...
Error: error associating Route 53 Hosted Zone (ZXYZREDACTED) to EC2 VPC (vpc-001THATACCOUNT): NotAuthorizedException: User: arn:aws:iam::THISACCOUNT is not authorized to perform: route53:AssociateVPCWithHostedZone on resource: arn:aws:ec2:eu-west-2:THISACCOUNT:vpc/vpc-001THATACCOUNT
        status code: 401, request id: xxx

14215

12362

Im guessing the issue is here... arn:aws:ec2:eu-west-2:THISACCOUNT:vpc/vpc-001THATACCOUNT

The only difference from the example in the documentation is that the second accounts vpc is not created in the same tf plan .

provider "aws" {
}

provider "aws" {
  alias = "alternate"
}

resource "aws_vpc" "example" {
  cidr_block           = "10.6.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true
}

resource "aws_route53_zone" "example" {
  name = "example.com"

  vpc {
    vpc_id = aws_vpc.example.id
  }
}

resource "aws_route53_vpc_association_authorization" "example" {
  vpc_id  = data.terraform_remote_state.THATACCOUNT.outputs.vpc_id
  zone_id = aws_route53_zone.example.id
}

resource "aws_route53_zone_association" "example" {
  provider = "aws.alternate"

  vpc_id  = aws_route53_vpc_association_authorization.example.vpc_id
  zone_id = aws_route53_vpc_association_authorization.example.zone_id
}
lindu-dd commented 3 years ago

any update on this? I'm encounter the same issue

github-actions[bot] commented 10 months ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] commented 8 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.