vpc block in aws_route53_zone causes issues with aws_route53_zone_association

[mrozentsvayg]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.13
+ provider.aws v2.1.0

Affected Resource(s)

• aws_route53_zone
• aws_route53_zone_association

Terraform Configuration Files

resource "aws_route53_zone" "xx" {
  name = "xx.test"
  vpc {
    vpc_id = "vpc-11111111"
  }
}

resource "aws_route53_zone_association" "xx" {
  zone_id    = "${aws_route53_zone.xx.zone_id}"
  vpc_id     = "vpc-22222222"
  vpc_region = "us-west-1"
}

Debug Output

Terraform will perform the following actions:

  + aws_route53_zone.xx
      id:                        <computed>
      comment:                   "Managed by Terraform"
      force_destroy:             "false"
      name:                      "xx.test"
      name_servers.#:            <computed>
      vpc.#:                     "1"
      vpc.2645171986.vpc_id:     "vpc-11111111"
      vpc.2645171986.vpc_region: <computed>
      vpc_id:                    <computed>
      vpc_region:                <computed>
      zone_id:                   <computed>

  + aws_route53_zone_association.xx
      id:                        <computed>
      vpc_id:                    "vpc-22222222"
      vpc_region:                "us-west-1"
      zone_id:                   "${aws_route53_zone.xx.zone_id}"

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_route53_zone.xx: Creating...
  comment:                   "" => "Managed by Terraform"
  force_destroy:             "" => "false"
  name:                      "" => "xx.test"
  name_servers.#:            "" => "<computed>"
  vpc.#:                     "" => "1"
  vpc.2645171986.vpc_id:     "" => "vpc-11111111"
  vpc.2645171986.vpc_region: "" => "<computed>"
  vpc_id:                    "" => "<computed>"
  vpc_region:                "" => "<computed>"
  zone_id:                   "" => "<computed>"
aws_route53_zone.xx: Still creating... (10s elapsed)
aws_route53_zone.xx: Still creating... (20s elapsed)
aws_route53_zone.xx: Still creating... (30s elapsed)
aws_route53_zone.xx: Still creating... (40s elapsed)
aws_route53_zone.xx: Still creating... (50s elapsed)
aws_route53_zone.xx: Creation complete after 58s (ID: ZZZZZZZZZZZZZZ)
aws_route53_zone_association.xx: Creating...
  vpc_id:     "" => "vpc-22222222"
  vpc_region: "" => "us-west-1"
  zone_id:    "" => "ZZZZZZZZZZZZZZ"
aws_route53_zone_association.xx: Still creating... (10s elapsed)
aws_route53_zone_association.xx: Still creating... (20s elapsed)
aws_route53_zone_association.xx: Still creating... (30s elapsed)
aws_route53_zone_association.xx: Still creating... (40s elapsed)
aws_route53_zone_association.xx: Creation complete after 47s (ID: ZZZZZZZZZZZZZZ:vpc-22222222)

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Terraform will perform the following actions:

  ~ aws_route53_zone.xx
      vpc.#:                 "2" => "1"
      vpc.1474358627.vpc_id: "vpc-22222222" => ""
      vpc.2645171986.vpc_id: "vpc-11111111" => "vpc-11111111"


Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_route53_zone.xx: Modifying... (ID: ZZZZZZZZZZZZZZ)
  vpc.#:                 "2" => "1"
  vpc.1474358627.vpc_id: "vpc-22222222" => ""
  vpc.2645171986.vpc_id: "vpc-11111111" => "vpc-11111111"
aws_route53_zone.xx: Still modifying... (ID: ZZZZZZZZZZZZZZ, 10s elapsed)
aws_route53_zone.xx: Still modifying... (ID: ZZZZZZZZZZZZZZ, 20s elapsed)
aws_route53_zone.xx: Still modifying... (ID: ZZZZZZZZZZZZZZ, 30s elapsed)
aws_route53_zone.xx: Still modifying... (ID: ZZZZZZZZZZZZZZ, 40s elapsed)
aws_route53_zone.xx: Modifications complete after 47s (ID: ZZZZZZZZZZZZZZ)

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Terraform will perform the following actions:

  + aws_route53_zone_association.xx
      id:         <computed>
      vpc_id:     "vpc-22222222"
      vpc_region: "us-west-1"
      zone_id:    "ZZZZZZZZZZZZZZ"

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_route53_zone_association.xx: Creating...
  vpc_id:     "" => "vpc-22222222"
  vpc_region: "" => "us-west-1"
  zone_id:    "" => "ZZZZZZZZZZZZZZ"
aws_route53_zone_association.xx: Still creating... (10s elapsed)
aws_route53_zone_association.xx: Still creating... (20s elapsed)
aws_route53_zone_association.xx: Still creating... (30s elapsed)
aws_route53_zone_association.xx: Still creating... (40s elapsed)
aws_route53_zone_association.xx: Creation complete after 47s (ID: ZZZZZZZZZZZZZZ:vpc-22222222)

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Terraform will perform the following actions:

  ~ aws_route53_zone.xx
      vpc.#:                 "2" => "1"
      vpc.1474358627.vpc_id: "vpc-22222222" => ""
      vpc.2645171986.vpc_id: "vpc-11111111" => "vpc-11111111"


Plan: 0 to add, 1 to change, 0 to destroy.

Panic Output

Expected Behavior

• creation of a private zone, associated to the vpc_id in vpc block of aws_route53_zone resource
• creation of an association(s) to the additional vpc(s) configured in aws_route53_zone_association resource

Actual Behavior

• a private zone has been created
• association(s) with the additional vpc(s) have been created
• subsequent terraform apply runs would remove the association(s) with add the additional vpc(s), next one would recreate it again, and so on back and forth.

Steps to Reproduce

1. terraform apply

Important Factoids

• standalone vpc_id (without vpc block) in aws_route53_zone worked correctly for the described scenario (before it got deprecated in removed in [Version 2 Release] resource/aws_route53_zone: Remove deprecated top-level vpc_id and vpc_region arguments #7693)
• it seems the only way to get the additional associations now, is to have multiple vpc blocks in aws_route53_zone, but it doesn't allow dynamic associations configuration and not documented.

References

• [Version 2 Release] resource/aws_route53_zone: Remove deprecated top-level vpc_id and vpc_region arguments #7693

[georgesvachulay]

+1 and I'd also add that it's somewhat documented here, but it makes it apparent that it won't work properly (paradoxical docs):

https://www.terraform.io/docs/providers/aws/r/route53_zone_association.html says

NOTE: Terraform provides both this standalone Zone VPC Association resource and exclusive VPC associations defined in-line in the aws_route53_zone resource via vpc configuration blocks. At this time, you cannot use those in-line VPC associations in conjunction with this resource and the same zone ID otherwise it will cause a perpetual difference in plan output. You can optionally use the generic Terraform resource lifecycle configuration block with ignore_changes in the aws_route53_zone resource to manage additional associations via this resource.

but that sounds like it's a workaround only. The paradox here is that you have to give at least one vpc {} block to the zone resource to make it create a private zone, yet you cannot use the association resource if you even have a single embedded vpc block as it goes into a loop, making this impossible to use.

Didn't test the workaround yet, will report if it works.

EDIT - yes it works, however the issue of not being able to update the default VPC for the zone is still present, so still needs fixing

[mrozentsvayg]

bump
any comments here @bflad ?

[yruss972]

Workaround could be better documented with a concrete example.

[bflad]

Hi folks 👋 The aws_route53_zone_association resource documentation includes the following note:

NOTE: Terraform provides both this standalone Zone VPC Association resource and exclusive VPC associations defined in-line in the aws_route53_zone resource via vpc configuration blocks. At this time, you cannot use those in-line VPC associations in conjunction with this resource and the same zone ID otherwise it will cause a perpetual difference in plan output. You can optionally use the generic Terraform resource lifecycle configuration block with ignore_changes in the aws_route53_zone resource to manage additional associations via this resource.

And the following example configuration:

resource "aws_vpc" "primary" {
  cidr_block           = "10.6.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true
}

resource "aws_vpc" "secondary" {
  cidr_block           = "10.7.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true
}

resource "aws_route53_zone" "example" {
  name = "example.com"

  # NOTE: The aws_route53_zone vpc argument accepts multiple configuration
  #       blocks. The below usage of the single vpc configuration, the
  #       lifecycle configuration, and the aws_route53_zone_association
  #       resource is for illustrative purposes (e.g. for a separate
  #       cross-account authorization process, which is not shown here).
  vpc {
    vpc_id = aws_vpc.primary.id
  }

  lifecycle {
    ignore_changes = [vpc]
  }
}

resource "aws_route53_zone_association" "secondary" {
  zone_id = aws_route53_zone.example.zone_id
  vpc_id  = aws_vpc.secondary.id
}

Due to how the Route 53 API and Terraform are designed, it is not possible for the Terraform AWS Provider to support this functionality better without removing functionality. If you feel this documentation can be improved still, please open a new issue and we will take a fresh look. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!