Private aws_route53_zone and aws_route53_zone_association

[eirc]

Hello I'm not sure this is an issue with the provider or base TF, but I'll start here. The issue is to do with how we can create a private Route53 zone and associate it with multiple VPCs through association resources.

The aws_route53_zone resource will create a public zone if no vpc block is provided and a private zone if one is. The vpc block however is in conflict with aws_route53_zone_association resources since they would produce perpetual diffs (as noted in the docs for all such cases with inline blocks vs separate resources).

So the only I can manage to use aws_route53_zone_associations is to first create the zone with a vpc block for one of my networks, then remove it and add a lifecycle { ignore_changes = [vpc] } rule, add the aws_route53_zone_associations and import the one I already had connected through the vpc block.

If this is the only way to make use of them maybe it should be at least mentioned in the documentation.

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.7
+ provider registry.terraform.io/hashicorp/archive v2.0.0
+ provider registry.terraform.io/hashicorp/aws v3.12.0

Affected Resource(s)

• aws_route53_zone
• aws_route53_zone_association

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[gdavison]

Hi @eirc. Does the pattern in the documentation at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association not work? The initial VPC is added using the vpc block, and the remaining VPCs are associated using aws_route53_zone_association

[eirc]

Hello @gdavison. As mentioned in the doc "At this time, you cannot use those in-line VPC associations in conjunction with this resource and the same zone ID otherwise it will cause a perpetual difference in plan output." so the documentation pattern includes an ignore rule to get around that perpetual diff. As soon as it does tho the first VPC that was associated through the block is now unmanaged by terraform (since it's ignored), if I go and manually delete it terraform won't even notice. So I got around that by adding an association resource for that VPC too and importing it there.

[gdavison]

Ah, I get it. That's a good point.

[mkozal]

This could be exactly the same pattern we are following with security group rules or IAM in-line in-resource or sourced policies. I get it that terraform strives to make things easier for us but in this scenario we're explicitly taken away the possibility to override that we want a private zone without in-line VPC and private hosted zones present most of the value with cross-account (multiprovider) setups where workaround suggested by @eirc isn't so much feasible.

Mind you contrary to SG there's an API limitation on creation of private hosted zone that doesn't contain any VPCs but that could be "merged" under the hood as probably is handled in other places anyway.

Or let's try having AWS allow non-VPC associated PHZ if it's "cleaner" way.

[dacut]

The resource needs to provide a private_zone = <bool> element to explicitly set the HostedZoneConfig.PrivateZone setting in the CreateHostedZone API. Changing this requires replacing the resource.

[dacut]

Alas, this is not possible. Adding a private_zone parameter and setting it without setting VPC Id results in: InvalidInput: When you're creating a private hosted zone (when you specify true for PrivateZone), you must also specify values for VPCId and VPCRegion.

This is a limitation in the AWS API.

[onitake]

Adding additional vpc {} blocks to the aws_route53_zone may be an alternative, but this doesn't work if the aws_route53_zone_association needs a different provider. The vpc {} block doesn't have a provider parameter.

[dacut]

@onitake I think the only way you'll be able to do this is via the lifecycle { ignore_changes = [vpc] } workaround. Until AWS fixes the issue in the way Private Hosted Zones work, I don't see a good way for Terraform to fix this, sadly.

Under the hood, it looks like there's no boolean for identifying whether a zone is public or private. A zone is private if it has a VPC attached, and Route 53 refuses to let you convert between the two. You have to attach-upon-create, and can never detach the last VPC from a private hosted zone.

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.