Skip to content

Instantly share code, notes, and snippets.

@dalethestirling

dalethestirling/README.md

Last active June 8, 2017 15:13
Show Gist options
  • Save dalethestirling/eb1e2a3c6c68adbf8645a1e325a8afb2 to your computer and use it in GitHub Desktop.
Save dalethestirling/eb1e2a3c6c68adbf8645a1e325a8afb2 to your computer and use it in GitHub Desktop.
Download ZIP
Association of Route53 private hosted zones between AWS accounts using terraform.
Raw
README.md

As more solutions are leaveraging AWS accounts as the demarcation line between determined change and fault domains within solutions the association of private Route53 zones between these fault domains has become more difficult. The common senario where this is encountered is when the engineering or SDLC tooling environments DNS needs to be propergated to other environments to facilitate Continious Delivery practices.

This activity is able to be done, not through the console but leaveraging the underlying AWS API as documented by Amazon: https://aws.amazon.com/premiumsupport/knowledge-center/private-hosted-zone-different-account/

This approach is not supported by current versions of Terraform, and current GitHub issues suggest that this could a large amount of work. The easiest way to solve this is to make the required calls using {{ awscli }}. This can be done in terraform in a managed approach using the {{ null_resource }} resource.

Lets imagine that that VPC-A (vpc-a.tf) has hosts that need to be referenced by VPC-B (vpc-b.tf) these 2 VPCs are contained in seperate VPCs. In this senario VPC-A would authorise VPC-B to have the ability to associate the zone and then VPC-B will perform the association.

This is expressed in terraformlike so, but be aware this adds a dependency for the awscli of each user of Terraforn

Raw
vpc-a.tf
variable "vpc" {
default = {
name = "vpc-a"
cidr = "10.0.1.0/24"
}
}
variable "vpc-b" { default = "vpc-xxxxxxx" }
variable "domain" { default = "vpc-a.example.com" }
resource "aws_vpc" "main" {
cidr_block = "${var.vpc["name"]}"
tags {
Name = "${var.vpc["name"]}"
}
}
resource "aws_route53_zone" "main" {
name = "${var.domain}"
vpc_id = "${aws_vpc.main.id}"
}
resource "null_resource" "create_remote_zone_auth" {
triggers {
zone_id = "${aws_route53_zone.main.zone_id}"
}
provisioner "local-exec" {
command = "aws route53 create-vpc-association-authorization --hosted-zone-id ${aws_route53_zone.main.zone_id} --vpc VPCRegion=${data.aws_region.current.name},VPCId=${var.vpc_b}"
}
}
Raw
vpc-b.tf
variable "vpc" {
default = {
name = "vpc-b"
cidr = "10.0.2.0/24"
}
}
variable "zone_id" { default = "Z3698QZYURP5L2" }
variable "domain" { default = "vpc-b.example.com" }
resource "aws_vpc" "main" {
cidr_block = "${var.vpc["name"]}"
tags {
Name = "${var.vpc["name"]}"
}
}
resource "aws_route53_zone" "main" {
name = "${var.domain}"
vpc_id = "${aws_vpc.main.id}"
}
resource "null_resource" "shared_services_zone_auth" {
triggers {
zone_id = "${aws_route53_zone.main.zone_id}"
}
provisioner "local-exec" {
command = "aws route53 associate-vpc-with-hosted-zone --hosted-zone-id ${var.zone_id} --vpc VPCRegion=${data.aws_region.current.name},VPCId=${module.get-data.vpc_id}"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment