Home How to associate route53 zones with vpcs from different accounts with terraform
Post
Cancel

How to associate route53 zones with vpcs from different accounts with terraform

Context

If you need to associate two private route53 zones with vpcs that belong to different accounts and you just try to associate the vpc in an account to a route53 zone in another account you will probably face an error like the one below

│ Error: error associating Route 53 Hosted Zone (ZONEXXXXXXXXX) to EC2 VPC (vpc-xxxxxxxx): AccessDenied: User: arn:aws:sts::xxxxxxxxx:assumed-role/xxxx-role/id-xxxx is not authorized to perform: route53:AssociateVPCWithHostedZone on resource: arn:aws:route53:::hostedzone/XXXXXXX because no resource-based policy allows the route53:AssociateVPCWithHostedZone action

This is due to the lack of an association authorization on the account that the zone belongs to.

How to associate route53 zones with vpcs from different accounts with terraform

Lets assume you have a zone named root

1
2
3
resource "aws_route53_zone" "main" {
  name = "ilhicas.com"
}

So in order to allow an external vpc access to this zone in the currently running aws account with the default aws provider, you create a aws_route53_vpc_association_authorization like the one below

1
2
3
4
resource "aws_route53_vpc_association_authorization" "auth_external" {
  vpc_id  = 'vpc-external-vpc-id'
  zone_id = aws_route53_zone.root.zone_id
}

After that, you need to setup the association on the let’s call it external account, for that you need to switch providers to assume a new role

Let’s say you create a new provider with the alias external like the one below

1
2
3
4
5
6
7
provider "aws" {
  region = "us-east-1"
  alias  = "external"
  assume_role {
    role_arn = var.external_role
  }
}

So now, in order to create the association you just switch to the owner of the external vpc, in our case with the aliased “external” aws provider

Resulting in the following association resource defintion

1
2
3
4
5
6
resource "aws_route53_zone_association" "external" {
  vpc_id     = "vpc-external-vpc-id"
  vpc_region = "us-east-1"
  zone_id    = aws_route53_zone.root.zone_id
  provider   = aws.external
}

And that’s it. You

Caveats

This assumes you have access to both accounts, otherwise you need to request the association on the external account after you grant the authorization.

Conclusion

By creating an authorization on the same terraform stack/module makes it trivial to allow an external account vpc access to a private hosted zone in another account assuming permission are in place for both roles to be assumed.

This post is licensed under CC BY 4.0 by the author.