DEV Community

Cover image for Cross-Account VPC Associations with Route53 Private Hosted Zone and Addressing Terraform State Update Issue
AWS Community Builders profile image Md Shamim
Md Shamim for AWS Community Builders

Posted on

Cross-Account VPC Associations with Route53 Private Hosted Zone and Addressing Terraform State Update Issue

#aws #terraform #route53 #cloudcomputing

Background:

Let assume, we have a private hosted zone in Account A and a VPC associated with it from the same account. Now, we need to associate another VPC from Account B (which is a Cross-Account) to the private hosted zone residing in Account A.

However, this cannot be done via the AWS console. To accomplish this requirement, we'll need to use the programmatic approach. In this tutorial, we will be using AWS CLI to perform the necessary operations.

Route53 Private Hosted Zone Cross Account VPC Association

The following commands need to be run on Account A:
Account A needs to create a VPC association authorization to authorize the association of a VPC from Account B.

  • Create vpc association authorization: ```

aws route53 create-vpc-association-authorization \
--hosted-zone-id \
--vpc VPCRegion=,VPCId= \
--region 


- Check if VPC is `authorized`:
Enter fullscreen mode Exit fullscreen mode

aws route53 list-vpc-association-authorizations \
--hosted-zone-id Z03168043HMQYLM46KQBL

- Expected Outcome:
Enter fullscreen mode Exit fullscreen mode

{
"VPCs": [
{
"VPCRegion": "region",
"VPCId": "< target-vpc-id >"
}
],
"HostedZoneId": "< hosted-zone-id >"
}


**The following commands need to be run on** `Account B`:
- `Account B` needs to `associate-vpc-with-hosted-zone` using the following command:
Enter fullscreen mode Exit fullscreen mode

aws route53 associate-vpc-with-hosted-zone \
--hosted-zone-id \
--vpc VPCRegion=,VPCId= \
--region 


Now, from the console, we can verify the associated VPC:

![Route53 Private Hosted Zone Cross Account VPC Association](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fsq2q4d3m1oedqja1yti.png)


## Addressing Terraform State Update Challenges
After associating cross-account VPC with a private hosted zone using CLI. In `terraform`, we might see `terraform` will delete the cross-account VPC from the hosted zone:
Enter fullscreen mode Exit fullscreen mode

# aws_route53_zone.private will be updated in-place
~ resource "aws_route53_zone" "private" {
id = "Z03168043HMQYLAGDGAL"
name = "example.com"
tags = {}
# (7 unchanged attributes hidden)

  - vpc {
      - vpc_id     = "vpc-072877fb4e12c2427" -> null
      - vpc_region = "us-east-1" -> null
    }

    # (1 unchanged block hidden)
}
Enter fullscreen mode Exit fullscreen mode 
To resolve this issue we can use the `lifecycle` block inside the `aws_route53_zone` resource code:
Enter fullscreen mode Exit fullscreen mode

resource "aws_route53_zone" "private" {
name = "example.com"

vpc {
vpc_id = "vpc-0f76856d99df4csbf"
}
# Like this
lifecycle {
ignore_changes = [vpc]
}
}



That's all for now. Please let me know your feedback and if you have any questions.

Thanks!!
[Md Shamim ](https://www.linkedin.com/in/shamimice03/)
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

Read next

mauricebrg profile image

How I spent a few hours using advanced technology to save $2

Maurice Borgmeier -

karthiksakthiveltechie profile image

AWS announces UDP support for AWS PrivateLink and dual-stack Network Load Balancers

Karthik Sakthivel -

joaomarques profile image

Error when retrieving token from sso Token has expired and refresh failed

Joao Marques -

omkara18 profile image

Terraform Drift: Deep Dive

omkar shelke -