DEV Community

Cover image for Cross-Account VPC Associations with Route53 Private Hosted Zone and Addressing Terraform State Update Issue
AWS Community Builders profile image Md Shamim
Md Shamim for AWS Community Builders

Posted on

Cross-Account VPC Associations with Route53 Private Hosted Zone and Addressing Terraform State Update Issue

#aws #terraform #route53 #cloudcomputing

Background:

Let assume, we have a private hosted zone in Account A and a VPC associated with it from the same account. Now, we need to associate another VPC from Account B (which is a Cross-Account) to the private hosted zone residing in Account A.

However, this cannot be done via the AWS console. To accomplish this requirement, we'll need to use the programmatic approach. In this tutorial, we will be using AWS CLI to perform the necessary operations.

Route53 Private Hosted Zone Cross Account VPC Association

The following commands need to be run on Account A:
Account A needs to create a VPC association authorization to authorize the association of a VPC from Account B.

  • Create vpc association authorization: ```

aws route53 create-vpc-association-authorization \
--hosted-zone-id \
--vpc VPCRegion=,VPCId= \
--region 


- Check if VPC is `authorized`:
Enter fullscreen mode Exit fullscreen mode

aws route53 list-vpc-association-authorizations \
--hosted-zone-id Z03168043HMQYLM46KQBL

- Expected Outcome:
Enter fullscreen mode Exit fullscreen mode

{
"VPCs": [
{
"VPCRegion": "region",
"VPCId": "< target-vpc-id >"
}
],
"HostedZoneId": "< hosted-zone-id >"
}


**The following commands need to be run on** `Account B`:
- `Account B` needs to `associate-vpc-with-hosted-zone` using the following command:
Enter fullscreen mode Exit fullscreen mode

aws route53 associate-vpc-with-hosted-zone \
--hosted-zone-id \
--vpc VPCRegion=,VPCId= \
--region 


Now, from the console, we can verify the associated VPC:

![Route53 Private Hosted Zone Cross Account VPC Association](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fsq2q4d3m1oedqja1yti.png)


## Addressing Terraform State Update Challenges
After associating cross-account VPC with a private hosted zone using CLI. In `terraform`, we might see `terraform` will delete the cross-account VPC from the hosted zone:
Enter fullscreen mode Exit fullscreen mode

# aws_route53_zone.private will be updated in-place
~ resource "aws_route53_zone" "private" {
id = "Z03168043HMQYLAGDGAL"
name = "example.com"
tags = {}
# (7 unchanged attributes hidden)

  - vpc {
      - vpc_id     = "vpc-072877fb4e12c2427" -> null
      - vpc_region = "us-east-1" -> null
    }

    # (1 unchanged block hidden)
}
Enter fullscreen mode Exit fullscreen mode 
To resolve this issue we can use the `lifecycle` block inside the `aws_route53_zone` resource code:
Enter fullscreen mode Exit fullscreen mode

resource "aws_route53_zone" "private" {
name = "example.com"

vpc {
vpc_id = "vpc-0f76856d99df4csbf"
}
# Like this
lifecycle {
ignore_changes = [vpc]
}
}



That's all for now. Please let me know your feedback and if you have any questions.

Thanks!!
[Md Shamim ](https://www.linkedin.com/in/shamimice03/)
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

Read next

psantus profile image

How to run PHP on AWS ServerLess architecture ? Part 1 - What's serverless?

Paul SANTUS -

vkazulkin profile image

Lambda function with GraalVM Native Image - Part 1 Introduction to GraalVM and its native image capabilities

Vadym Kazulkin -

amr-saafan profile image

Terraform Your Way to High Availability: Deploying a Full Stack AWS Architecture

Amr Saafan -

nivekalara237 profile image

Building a Spring Boot Consumer Application with Amazon SQS: Setup Infrastructure Using Cloud Development Kit (CDK)

Kevin Lactio Kemta -