trying to create an aws_route53_record to point to a load balancer but keep getting an error using terraform

4
votes

As the domain already existed I imported the zone into my configuration:

resource "aws_route53_zone" "example_hosted_zone" {
  name = "example.club"
}

Route 53 record:

resource "aws_route53_record" "us-battasks" {
  zone_id = aws_route53_zone.example_hosted_zone.zone_id
  name    = "us-battasks"
  type    = "CNAME"
  ttl     = "60"
  records = [aws_lb.restricted_access_lb.id]
}

resource "aws_route53_record" "us-battasksapi" {
  zone_id = aws_route53_zone.example_hosted_zone.zone_id
  name    = "us-battasksapi"
  type    = "CNAME"
  ttl     = "60"
  records = [aws_lb.restricted_access_lb.id]
}

The Terraform plan shows it will create the resource but when I apply I get this following error:

Error: [ERR]: Error building changeset: InvalidChangeBatch: [Invalid Resource Record: FATAL problem: DomainLabelTooLong (Domain label is too long) encountered with 'arn:aws:elasticloadbalancing:us-east-1:221124075124:loadbalancer', Unparseable CNAME encountered]
    status code: 400, request id: e43e5ced-957f-4bcd-83d2-1e7eaea7665b



Error: [ERR]: Error building changeset: InvalidChangeBatch: [Invalid Resource Record: FATAL problem: DomainLabelTooLong (Domain label is too long) encountered with 'arn:aws:elasticloadbalancing:us-east-1:221124075124:loadbalancer', Unparseable CNAME encountered]
    status code: 400, request id: 33d3340e-f2f2-4c95-bc96-a9de1349afc4

Here is the Terraform code for the load balancer if it helps:

resource "aws_lb" "restricted_access_lb" {
  name               = "restricted-access-lb"
  internal           = false
  load_balancer_type = "application"
  security_groups    = [aws_security_group.swarm_node_sg.id, aws_security_group.monolaunch_instance_sg.id, aws_security_group.restricted_access_sg.id]
  subnets            = [aws_subnet.public_subnet_b.id, aws_subnet.public_subnet_a.id]

  enable_deletion_protection = true   
}
2
amazon-web-servicesterraformamazon-route53terraform-provider-aws

2 Answers

5
votes

The id of the aws_lb resource is the ARN which is why you see the ARN for the load balancer shown in the error when it's trying to create a Route53 record.

Instead you should be using the dns_name attribute instead which will map to the address of the load balancer.

resource "aws_route53_record" "us-battasksapi" {
  zone_id = aws_route53_zone.example_hosted_zone.zone_id
  name    = "us-battasksapi"
  type    = "CNAME"
  ttl     = "60"
  records = [aws_lb.restricted_access_lb.dns_name]
}

If, instead, you wanted to use an alias A record to avoid the second DNS lookup (plus issues around apex records in a zone) you would instead use the following:

resource "aws_route53_record" "us-battasksapi" {
  zone_id = aws_route53_zone.example_hosted_zone.zone_id
  name    = "us-battasksapi"
  type    = "A"

  alias {
    name                   = aws_lb.restricted_access_lb.dns_name
    zone_id                = aws_lb.restricted_access_lb.zone_id
    evaluate_target_health = true
  }
}
1
votes

In your aws_route53_record you are using:

records = [aws_lb.restricted_access_lb.id]

This will try making CNAME to ARN of your load balancer. Instead you should be using

records = [aws_lb.restricted_access_lb.dns_name]

Ideally, it also should be A Alias record, not CNAME, as shown in the docs.