Terraform cannot create AWS private hosted route53 zone

1
votes

Terraform doesn't seem to be able to create AWS private hosted Route53 zones, and dies with the following error when I try to create a new hosted private zone associated with an existing VPC: 

Error applying plan:
   1 error(s) occurred:
   aws_route53_zone.analytics: InvalidVPCId: The VPC: vpc-xxxxxxx you    provided is not authorized to make the association.
   status code: 400, request id: b411af23-0187-11e7-82e3-df8a3528194f

Here's my .tf file:

provider "aws" {
  region  = "${var.region}"
  profile = "${var.environment}"
}

variable "vpcid" {
  default = "vpc-xxxxxx"
}

variable "region" {
  default = "eu-west-1"
}

variable "environment" {
  default = "dev"
}

resource "aws_route53_zone" "analytics" {
  vpc_id = "${var.vpcid}"
  name   = "data.int.example.com"
}

I'm not sure if the error is referring to either one of these:

  • VPC somehow needs to be authorised to associate with the Zone in advance.
  • The aws account running the terraform needs correct IAM permissions to associate the zone with the vpc

Would anyone have a clue how I could troubleshoot this further?

3
amazon-web-servicesamazon-route53amazon-vpcterraform
What's the terraform version? Seems you run with old version.BMW

3 Answers

0
votes

check the terraform version if run with latest or not.

Second, your codes are wrong if compare with the sample 

data "aws_route53_zone" "selected" {
  name = "test.com."
  private_zone = true
}

resource "aws_route53_record" "www" {
  zone_id = "${data.aws_route53_zone.selected.zone_id}"
  name = "www.${data.aws_route53_zone.selected.name}"
  type = "A"
  ttl = "300"
  records = ["10.0.0.1"]
}
1
votes

some times you also face such issue when the aws region which is configured in provider config is different then the region in which you have VPC deployed. for such cases we can use alias for aws provider. like below:

provider "aws" {
  region = "us-east-1"
}


provider "aws" {
  region = "ap-southeast-1"
  alias = "singapore"
}

then we can use it as below in terraform resources:

resource "aws_route53_zone_association" "vpc_two" {
  provider = "aws.singapore"
  zone_id = "${aws_route53_zone.dlos_vpc.zone_id}"
  vpc_id  = "${aws_vpc.vpc_two.id}"
}

above snippet is helpful when you need your terraform script to do deployment in multiple regions.

0
votes

The error code you're getting is because either your user/role doesn't have the necessary VPC related permissions or you are using the wrong VPC id.

I'd suggest you double check the VPC id you are using, potentially using the VPC data source to fetch it:

# Assuming you use the "Name" tag on the VPC resource to identify your VPCs
variable "vpc_name" {}

data "aws_vpc" "selected" {
  tags {
    Name = "${var.vpc_name}"
  }
}

resource "aws_route53_zone" "analytics" {
  vpc_id = "${data.aws_vpc.selected.id}"
  name   = "data.int.example.com"
}

You also want to check that your user/role has the necessary VPC related permissions. For this you'll probably want all of the permissions listed in the docs:

enter image description here