[Bug]: importing `aws_route53_zone_association` with VPC from a different account yields error

[rwlodarczyk-xealth]

Terraform Core Version

1.5.7

AWS Provider Version

5.41.0

Affected Resource(s)

When trying to import in an existing VPC association using:

import {
  to = aws_route53_zone_association.vpc_association["some_vpc"]
  id = "ZEXAMPLEZONE:vpc-0123456789abcdef0"
}

The following error is given:

│ Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to
│ "aws_route53_zone_association.vpc_association[\"some_vpc\"]", the
│ provider detected that no object exists with the given id. Only
│ pre-existing objects can be imported; check that the id is correct and that
│ it is associated with the provider's configured region or endpoint, or use
│ "terraform apply" to create a new remote object for this resource.

Expected Behavior

This should import without issue.

Actual Behavior

The following error is given:

│ Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to
│ "aws_route53_zone_association.vpc_association[\"some_vpc\"]", the
│ provider detected that no object exists with the given id. Only
│ pre-existing objects can be imported; check that the id is correct and that
│ it is associated with the provider's configured region or endpoint, or use
│ "terraform apply" to create a new remote object for this resource.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

locals {
  vpcs = {
      some_vpc  = "vpc-0123456789abcdef0"
 }
}

import {
  to = aws_route53_zone_association.vpc_association["some_vpc"]
  id = "ZEXAMPLEZONE:vpc-0123456789abcdef0"
}

# Using data since the zone was created manually through the AWS Console.
data "aws_route53_zone" "myzone" {
  name         = "foo.bar.com"
  private_zone = true
}

resource "aws_route53_zone_association" "vpc_association" {
  for_each = local.vpcs
  vpc_id   = each.value
  zone_id  = data.aws_route53_zone.myzone.zone_id
}

Steps to Reproduce

1. Manually create a hosted zone
2. Manually associate a VPC from a different account
3. Try importing in the VPC association with the above.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[rwlodarczyk-xealth]

Additionally, running aws route53 get-hosted-zone --id ZEXAMPLEZONE shows that the VPC(s) from the other account are, in fact, associated with this zone. The ID displayed there is no different than the one used in the Terraform import statement. Output:

{
    "HostedZone": {
        "Id": "/hostedzone/ZEXAMPLEZONE",
        "Name": "foo.bar.com.",
        "CallerReference": "<guid>",
        "Config": {
            "Comment": "Internal hosts",
            "PrivateZone": true
        },
        "ResourceRecordSetCount": 118
    },
    "VPCs": [
        {
            "VPCRegion": "us-west-2",
            "VPCId": "vpc-0123456789abcdef0"
        },
        ...
    ]
}

I also tried a "naked" ID (e.g. vpc-0123456789abcdef0) and a "fully-qualified" ID (e.g. ZEXAMPLEZONE:vpc-0123456789abcdef0:us-west-2), but these don't work either, with the former giving a format error as expected.

[acwwat]

I could be wrong, but based on the example usage provided in the aws_route53_vpc_association_authorization resource doc, it seems that the aws_route53_zone_association object is supposed to be associated with the account which owns the VPC. I created a little diagram to illustrate it - account A owns the hosted zone and account B owns the VPC to be associated with the hosted zone.

Based on this, I suspect that the import should be associated with a provider for the account that owns the VPC.

[rwlodarczyk-xealth]

Thanks @acwwat for the references. Indeed, that's how those associations were created in the first place. However since these are import blocks, I would expect that the authorization step is not required since the association already exists. The AWS CLI nor the Console provides no details as to what the foreign VPC account ID.

[acwwat]

Yes, the authorization is just for illustration only (if you were to create everything in Terraform) and that probably don't need to be imported if already handled outside Terraform. What's more important is the the zone association should be imported in the context of account B, not account A. So you might need to supply a provider argument for account B to the import block, and have a separate aws_route53_zone_association resource for the association that belong to account B.

[rwlodarczyk-xealth]

@acwwat Great, thank you for the guidance. I'm going to mess around more with this and report back findings. I've already pulled the resources into different groups or organizational sanity purposes prior to filing this issue. Trying to correct the sins of pre-Terraform adoption, I figured it'd be good to do. This will be our first stack with multiple provider definitions going across different accounts, so need to figure that out.

[justinretzolk]

Hey @rwlodarczyk-xealth 👋 Were you able to test those changes to validate if it resolved the issue, or should this issue be kept open for further review?

[justinretzolk]

Since we haven't heard back, I'm going to close this issue. If you're still having trouble, please feel free to open a new issue, referencing this one for context as needed.

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.