Adds two new resource providers: Community::Route53::VPCAssociationAuthorization and Community::Route53::VPCAssociation, to help associate Route53 private hosted zones with VPCs across accounts within CloudFormation
There is one issue with the current implementation that I'm not sure how you'd work around. When calling the route53.associateVpcWithHostedZone api, a Route53 "change" is returned. It seems like the association process is asynchronous, and you'll have to poll with the route53.getChange api until the returned Status is INSYNC. Unfortunately, if you're doing this across accounts, the getChange api must be called in the account with the private hosted zone, where the associateVpcWithHostedZone api must be called in the account with the vpc, and without hacking in a cross-account role, I don't think we can do that, so at this point in time the VPCAssociation resource is asynchronous. I haven't dug into the actual ramifications of this resource provider being asynchronous, but no IaC dependency on this resource comes to mind, the eventual consistency works in my testing with a vpc associating with a few cross account hosted zones
This was my first time working with custom resource providers, let me know if anything is off, thanks!
Adds two new resource providers:
Community::Route53::VPCAssociationAuthorizationandCommunity::Route53::VPCAssociation, to help associate Route53 private hosted zones with VPCs across accounts within CloudFormationThere is one issue with the current implementation that I'm not sure how you'd work around. When calling the
route53.associateVpcWithHostedZoneapi, a Route53 "change" is returned. It seems like the association process is asynchronous, and you'll have to poll with theroute53.getChangeapi until the returnedStatusisINSYNC. Unfortunately, if you're doing this across accounts, thegetChangeapi must be called in the account with the private hosted zone, where theassociateVpcWithHostedZoneapi must be called in the account with the vpc, and without hacking in a cross-account role, I don't think we can do that, so at this point in time theVPCAssociationresource is asynchronous. I haven't dug into the actual ramifications of this resource provider being asynchronous, but no IaC dependency on this resource comes to mind, the eventual consistency works in my testing with a vpc associating with a few cross account hosted zonesThis was my first time working with custom resource providers, let me know if anything is off, thanks!