DEV Community

Cover image for Cross-Account VPC Associations with Route53 Private Hosted Zone and Addressing Terraform State Update Issue
Md Shamim for AWS Community Builders

Posted on • Edited on

3

Cross-Account VPC Associations with Route53 Private Hosted Zone and Addressing Terraform State Update Issue

Background:

Let assume, we have a private hosted zone in Account A and a VPC associated with it from the same account. Now, we need to associate another VPC from Account B (which is a Cross-Account) to the private hosted zone residing in Account A.

However, this cannot be done via the AWS console. To accomplish this requirement, we'll need to use the programmatic approach. In this tutorial, we will be using AWS CLI to perform the necessary operations.

Route53 Private Hosted Zone Cross Account VPC Association

The following commands need to be run on Account A:
Account A needs to create a VPC association authorization to authorize the association of a VPC from Account B.

  • Create vpc association authorization:
aws route53 create-vpc-association-authorization \
    --hosted-zone-id <hosted-zone-id> \
    --vpc VPCRegion=<region>,VPCId=<vpc-id> \
    --region <your-region>
Enter fullscreen mode Exit fullscreen mode
  • Check if VPC is authorized:
aws route53 list-vpc-association-authorizations \
    --hosted-zone-id Z03168043HMQYLM46KQBL
Enter fullscreen mode Exit fullscreen mode
  • Expected Outcome:
{
    "VPCs": [
        {
            "VPCRegion": "region",
            "VPCId": "< target-vpc-id >"
        }
    ],
    "HostedZoneId": "< hosted-zone-id >"
}
Enter fullscreen mode Exit fullscreen mode

The following commands need to be run on Account B:

  • Account B needs to associate-vpc-with-hosted-zone using the following command:
aws route53 associate-vpc-with-hosted-zone \
    --hosted-zone-id <hosted-zone-id> \
    --vpc VPCRegion=<region>,VPCId=<vpc-id> \
    --region <your-region>
Enter fullscreen mode Exit fullscreen mode

Now, from the console, we can verify the associated VPC:

Route53 Private Hosted Zone Cross Account VPC Association

Addressing Terraform State Update Challenges

After associating cross-account VPC with a private hosted zone using CLI. In terraform, we might see terraform will delete the cross-account VPC from the hosted zone:

  # aws_route53_zone.private will be updated in-place
  ~ resource "aws_route53_zone" "private" {
        id                  = "Z03168043HMQYLAGDGAL"
        name                = "example.com"
        tags                = {}
        # (7 unchanged attributes hidden)

      - vpc {
          - vpc_id     = "vpc-072877fb4e12c2427" -> null
          - vpc_region = "us-east-1" -> null
        }

        # (1 unchanged block hidden)
    }
Enter fullscreen mode Exit fullscreen mode

To resolve this issue we can use the lifecycle block inside the aws_route53_zone resource code:

resource "aws_route53_zone" "private" {
  name = "example.com"

  vpc {
    vpc_id = "vpc-0f76856d99df4csbf"
  }
  # Like this 
  lifecycle {
    ignore_changes = [vpc]
  }
}
Enter fullscreen mode Exit fullscreen mode

That's all for now. Please let me know your feedback and if you have any questions.

Thanks!!
Md Shamim

Image of Datadog

How to Diagram Your Cloud Architecture

Cloud architecture diagrams provide critical visibility into the resources in your environment and how they’re connected. In our latest eBook, AWS Solution Architects Jason Mimick and James Wenzel walk through best practices on how to build effective and professional diagrams.

Download the Free eBook

Top comments (0)

Best Practices for Running  Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK cover image

Best Practices for Running Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK

This post discusses the process of migrating a growing WordPress eShop business to AWS using AWS CDK for an easily scalable, high availability architecture. The detailed structure encompasses several pillars: Compute, Storage, Database, Cache, CDN, DNS, Security, and Backup.

Read full post