Background:
Let assume, we have a private hosted zone in Account A
and a VPC associated with it from the same account. Now, we need to associate another VPC from Account B
(which is a Cross-Account) to the private hosted zone residing in Account A
.
However, this cannot be done via the AWS console. To accomplish this requirement, we'll need to use the programmatic approach. In this tutorial, we will be using AWS CLI to perform the necessary operations.
The following commands need to be run on Account A
:
Account A
needs to create a VPC association authorization to authorize the association of a VPC from Account B
.
- Create vpc association authorization: ```
aws route53 create-vpc-association-authorization \
--hosted-zone-id \
--vpc VPCRegion=,VPCId= \
--region
- Check if VPC is `authorized`:
aws route53 list-vpc-association-authorizations \
--hosted-zone-id Z03168043HMQYLM46KQBL
- Expected Outcome:
{
"VPCs": [
{
"VPCRegion": "region",
"VPCId": "< target-vpc-id >"
}
],
"HostedZoneId": "< hosted-zone-id >"
}
**The following commands need to be run on** `Account B`:
- `Account B` needs to `associate-vpc-with-hosted-zone` using the following command:
aws route53 associate-vpc-with-hosted-zone \
--hosted-zone-id \
--vpc VPCRegion=,VPCId= \
--region
Now, from the console, we can verify the associated VPC:
![Route53 Private Hosted Zone Cross Account VPC Association](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fsq2q4d3m1oedqja1yti.png)
## Addressing Terraform State Update Challenges
After associating cross-account VPC with a private hosted zone using CLI. In `terraform`, we might see `terraform` will delete the cross-account VPC from the hosted zone:
# aws_route53_zone.private will be updated in-place
~ resource "aws_route53_zone" "private" {
id = "Z03168043HMQYLAGDGAL"
name = "example.com"
tags = {}
# (7 unchanged attributes hidden)
- vpc {
- vpc_id = "vpc-072877fb4e12c2427" -> null
- vpc_region = "us-east-1" -> null
}
# (1 unchanged block hidden)
}
To resolve this issue we can use the `lifecycle` block inside the `aws_route53_zone` resource code:
resource "aws_route53_zone" "private" {
name = "example.com"
vpc {
vpc_id = "vpc-0f76856d99df4csbf"
}
# Like this
lifecycle {
ignore_changes = [vpc]
}
}
That's all for now. Please let me know your feedback and if you have any questions.
Thanks!!
[Md Shamim ](https://www.linkedin.com/in/shamimice03/)