search

terraform-aws-modules / terraform-aws-apigateway-v2

Terraform module to create AWS API Gateway v2 (HTTP/WebSocket) 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/apigateway-v2/aws
Apache License 2.0
144 stars 187 forks source link

Route53 Zone in another AWS account #106

Closed aaron-ballard-530 closed 3 weeks ago

aaron-ballard-530 commented 3 weeks ago

Description

When using a custom domain if the hosted zone is managed by another account the data resource looking for that zone will return Error: no matching Route 53 Hosted Zone found

Versions

Steps to reproduce the behavior:

Reference a Route 53 zone that is not owned by the AWS account you are trying to apply the module to

Expected behavior

Be able to assign a custom domain and certificate to the API without the account needing to host the Route 53 zone

Actual behavior

Thoses an error on line 134 on main.tf

Terminal Output Screenshot(s)

on .terraform/modules/github_codepipeline_trigger/main.tf line 134, in data "aws_route53_zone" "this": │ 134: data "aws_route53_zone" "this" {

Additional context

bryantbiggs commented 3 weeks ago

On mobile so I'll have to look further tomorrow - but you won't be able to let this module create the R53 records or certificate, you'll need to supply those yourself

aaron-ballard-530 commented 3 weeks ago

Correct, I don't need the module to create the record just assign the custom domain and acm to the API.

bryantbiggs commented 3 weeks ago

do you have a reproduction? are you setting:

  ...  
  create_domain_records = false
  create_certificate    = false
  ...
aaron-ballard-530 commented 3 weeks ago

I was only setting create_domain_records = false since that is acting as a master switch.

I'll try and get you a reproduction today as I had to revert to 4.0.

aaron-ballard-530 commented 3 weeks ago

Running this on an existing resources created by the 4.0.0 module, the following will remove the custom domain and certificate.

module "codepipeline_trigger" {
  source = "terraform-aws-modules/apigateway-v2/aws"
  version = "5.0.0" 
  name          = "codepipeline-trigger"
  description   = "Trigger the lambda"
  protocol_type = "HTTP"

  cors_configuration = {
    allow_headers = ["content-type", "x-amz-date", "authorization", "x-api-key", "x-amz-security-token", "x-amz-user-agent", "x-hub-signature"]
    allow_methods = ["*"]
    allow_origins = ["*"]
  }

  # Custom domain
  domain_name                 = "example.com"
  subdomains = ["github"]
  domain_name_certificate_arn = aws_acm_certificate.this[local.default_external_domain].arn
  create_domain_name = false
  disable_execute_api_endpoint = false

  # Access logs
  stage_access_log_settings = {
    destination_arn = aws_cloudwatch_log_group.lambda_codepipeline_trigger.arn
    format = "$context.identity.sourceIp - - [$context.requestTime] \"$context.httpMethod $context.routeKey $context.protocol\" $context.status $context.responseLength $context.requestId $context.integrationErrorMessage"
  }

  create_stage                     = true # to control creation of "$default" stage

  # Routes and integrations
  routes = {
    "ANY /" = {
      integration = {
        uri             = module.lambda_codepipeline_trigger.lambda_function_arn
        payload_format_version = "2.0"
        timeout_milliseconds   = 12000
      }
    }

    "$default" = {
      integration = {
        uri = module.lambda_codepipeline_trigger.lambda_function_arn
      }
    }
  }

}
Screenshot 2024-06-05 at 10 40 06 AM

By setting the property create_domain_name=true I get the error

Error: no matching Route 53 Hosted Zone found

Because the zone is owned by another AWS account.

bryantbiggs commented 3 weeks ago

what is name for your route53 hosted zone - is it example.com or github.example.com?

you shouldn't use the subdomains variable unless you are creating alias records with the module, so I believe your scenario would simply be:

module "codepipeline_trigger" {
  source = "terraform-aws-modules/apigateway-v2/aws"
  version = "5.0.0" 

  # Custom domain
  domain_name                 = "github.example.com"
  domain_name_certificate_arn = aws_acm_certificate.this[local.default_external_domain].arn
  create_domain_records       = false
  ...
aaron-ballard-530 commented 3 weeks ago

Ah I missed the existence of that variable as well as the certificate and log group. I was able to get it working correctly by setting

create_certificate    = false
create_domain_records = false

stage_access_log_settings = {
    create_log_group = false