Unable to associate vpc from one AWS account to a private hosted zone in another AWS account

ronneilcamara · July 1, 2022, 11:49pm

I’ve been trying to associate a vpc-id from our DEV aws account to a private hosted-zone in STAGE aws account. STAGE aws account will authorize the vpc to associate and DEV account will be the one associating.

I used the 2 aws-cli commands to create the authorization and association and it worked.

Authorization which I ran in STAGE account

 aws route53 create-vpc-association-authorization --hosted-zone-id AAAAAAAA --vpc VPCRegion=us-east-1,VPCId=vpc-1234567 --region us-east-1 --profile AwsAdministratorAccess-11111111111111

Associate which I ran in DEV account

aws route53 associate-vpc-with-hosted-zone --hosted-zone-id AAAAAAAA --vpc VPCRegion=us-east-1,VPCId=vpc-1234567 --region us-east-1 --no-verify-ssl --profile AwsAdministratorAccess-2222222222222

What I am trying to do now is capture those manual changes I made and put them in Terraform(atlantis).

In stage accounter, I added these codes, terraform/atlantis didn’t show any addition, updates or deletions. That’s a good sign.

data "aws_route53_zone" "stage_exampe_com" {
  name         = "stage.example.com."
  private_zone = true
}

# vpc-1234567 is the VPC Id in DEV account
resource "aws_route53_vpc_association_authorization" "dev_vpctozone_authorization" {
  vpc_id = "vpc-1234567"
  zone_id = data.aws_route53_zone.stage_exampe_com.id
  vpc_region = "us-east-1"
}

My problem is in DEV account. It cannot see the private hosted zone in stage account.

data "aws_route53_zone" "stage_example_com" {
  provider = aws.stage
  name = "stage.example.com"
  private_zone = true
  vpc_id = "vpc-1234567"
}

resource "aws_route53_zone_association" "devtostage_vpctoprivzone_association" {
  vpc_id  = "vpc-1234567"
  zone_id = data.aws_route53_zone.stage_example_com.zone_id
  vpc_region = "us-east-1"
}

output "zone" {
  value = data.aws_route53_zone.stage_example_com
}

I’ve seen different errors in my pull request. We use atlantis to run terraform plan. Here is the error

Error: no matching Route53Zone found

  with data.aws_route53_zone.stage_example_com,
  on vpc-privzone-assoc.tf line 26, in data "aws_route53_zone" "stage_example_com":
  26: data "aws_route53_zone" "stage_example_com" {

Maybe it is looking at hosted zones only in DEV account and not in STAGE account. I’m guessing right now.

Any help would be greatly appreciated!

Thank you.

ronneilcamara · July 2, 2022, 6:45am

I figured it out by hard coding the stage role arn in role_arn in provider aws block.