Resource for DNS ownership verification for VPC endpoint services

codemug commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please add a resource for the private DNS ownership verification for VPC endpoint services to manually initiate the domain validation like aws_acm_certificate_validation.

New or Affected Resource(s)

New Resource: aws_vpc_endpoint_service_domain_verification

Potential Terraform Configuration

resource aws_vpc_endpoint_service "service" {
    acceptance_required = true
}

resource aws_vpc_endpoint_service_domain_verification "verify" {
    service_id = aws_vpc_endpoint_service.service.id
}

References

github-actions[bot] commented 1 year ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

vahram-casechek commented 1 year ago

You could verify your vpc endpoint service domain by creating the route53 dns record like this


resource "aws_vpc_endpoint_service" "service_nlb_endpoint" {
  acceptance_required        = false
  network_load_balancer_arns = [
    aws_lb.service_nlb.arn
  ]
  allowed_principals = var.allowed_principal_arns
  private_dns_name   = "<THE DNS NAME>"
  tags               = {
    Name = var.nlb_name
  }
}

resource "aws_route53_record" "service_endpoint_private_dns_verification" {
  zone_id = var.hosted_zone_id
  name    = "<THE DNS NAME>"
  type    = "TXT"
  ttl     = 1800
  records = [
    aws_vpc_endpoint_service.service_nlb_endpoint.private_dns_name_configuration[0].value
  ]
}

if you need to wait for verification then you could use something like

# Wait for 120 seconds to add vpc endpoint after adding the route53 record to create the vpc endpoint
resource "time_sleep" "wait_for_vpc_endpoint_private_dns_verified" {
  depends_on      = [aws_route53_record.verification_record]
  create_duration = "120s"
}

ahussey-redhat commented 10 months ago

You could verify your vpc endpoint service domain by creating the route53 dns record like this


resource "aws_vpc_endpoint_service" "service_nlb_endpoint" {
  acceptance_required        = false
  network_load_balancer_arns = [
    aws_lb.service_nlb.arn
  ]
  allowed_principals = var.allowed_principal_arns
  private_dns_name   = "<THE DNS NAME>"
  tags               = {
    Name = var.nlb_name
  }
}

resource "aws_route53_record" "service_endpoint_private_dns_verification" {
  zone_id = var.hosted_zone_id
  name    = "<THE DNS NAME>"
  type    = "TXT"
  ttl     = 1800
  records = [
    aws_vpc_endpoint_service.service_nlb_endpoint.private_dns_name_configuration[0].value
  ]
}

if you need to wait for verification then you could use something like

# Wait for 120 seconds to add vpc endpoint after adding the route53 record to create the vpc endpoint
resource "time_sleep" "wait_for_vpc_endpoint_private_dns_verified" {
  depends_on      = [aws_route53_record.verification_record]
  create_duration = "120s"
}

Thanks @vahram-casechek - that is the closest thing I could come to automating the DNS verification. Although the sleep just waits for the DNS record to be created, not for the verification.

It would be dependent on the state becoming verified https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_service#state

hashicorp / terraform-provider-aws