Enable route53_zone_association
#463
Conversation
|
Together with @sergenyalcin and @ulucinar we decided to defer adding the association resource because:
|
|
I need this resource to implement cross-account vpc associations with a zone - it's not possible without this API as the zone needs to exist for the authorization, but can't exist without the authorization as is |
|
@patrickleet thanks for the feedback, reopening. The PR will need some rebase though. |
|
We are looking for the same feature and it will be very helpful for cross account associations of VPC. |
|
@sergenyalcin could you please review the changes. much needed though. |
|
we need this feature as well |
ytsarev
force-pushed
the
r53-zone-assoc-392
branch
from
7486a88
to
76f620d
Compare
|
/test-examples="examples/route53/zoneassociation.yaml" |
* Addition to crossplane-contrib#456 * Dedicate `ZoneAssociation` for more complex ZoneToVPC associations for a complex cases * According to investigation documented at crossplane-contrib#456 (comment) we will still need inline `vpc` field to instantiate private Zone first * crossplane-contrib#456 should be merged first so we can ehance `ZoneAssociation` example Signed-off-by: Yury Tsarev <[email protected]>
ytsarev
force-pushed
the
r53-zone-assoc-392
branch
from
76f620d
to
febb571
Compare
|
/test-examples="examples/route53/zoneassociation.yaml" |
| forProvider: | ||
| name: example.com | ||
| region: us-west-1 | ||
| vpc: |
There was a problem hiding this comment.
@ytsarev in terraform documentation we can find the following:
Terraform provides both this standalone Zone VPC Association resource and exclusive VPC associations defined in-line in the [aws_route53_zone resource](https://registry.terraform.io/providers/hashicorp/aws/2.54.0/docs/resources/route53_zone) via vpc configuration blocks. At this time, you cannot use those in-line VPC associations in conjunction with this resource and the same zone ID otherwise it will cause a perpetual difference in plan output.
so i think we need for the primary vpc also an ZoneAssociation and in Zone resource we need to skip lateinit for vpc field ?
There was a problem hiding this comment.
@haarchri thanks a lot for highlighting this one.
This is generated example so I left it as it is.
The crafted/tested example below does not use vpc spec in the Zone
https://github.com/upbound/provider-aws/pull/463/files/febb5711405ed06d4826007feffe3d802a940fd5#diff-0241fdef09239ca9bc31c3f588de9c70b3c894cee80a27fbcc1c5e9b3087b6d8R29-R32 , only in the ZoneAssociation
There was a problem hiding this comment.
but i think we need to skip lateinit for vpc field in Zone resource - otherwise the provider will fill it or ?
There was a problem hiding this comment.
Hm, not sure, it was good in my local tests without it. Let's wait for uptest-after-half-an-year-rebase :D
There was a problem hiding this comment.
Ok, I confirm it's tricky :D crafting the example and possible PR extension
Signed-off-by: Yury Tsarev <[email protected]>
|
/test-examples="examples/route53/zoneassociation.yaml" |
To test as close cross-account scenario as possible Signed-off-by: Yury Tsarev <[email protected]>
|
/test-examples="examples/route53/zoneassociation.yaml" |
|
the uptest for @haarchri was also so kind to test this change in his cross-account environment to get the full confidence that the implementation works. |
|
/test-examples="examples/route53/zoneassociation.yaml" |
|
/test-examples="examples/route53/zoneassociation.yaml" |
2 similar comments
|
/test-examples="examples/route53/zoneassociation.yaml" |
|
/test-examples="examples/route53/zoneassociation.yaml" |
Otherwise full cross-account testing of ZoneAssociation will fail with ``` is not authorized to perform: route53:AssociateVPCWithHostedZone on resource: arn:aws:route53:::hostedzone/ZXXX because no resource-based policy allows the route53:AssociateVPCWithHostedZone action ``` Signed-off-by: Yury Tsarev <[email protected]>
|
/test-examples="examples/route53/zoneassociation.yaml" |
1 similar comment
|
/test-examples="examples/route53/zoneassociation.yaml" |
|
Finally, all green with full cross-account uptest setup :) @haarchri VPCAssociationAuthorization is the key for cross-account setup, without it ZoneAssociation fails with Please double check on you side :) |
|
we tested in our environment with multiple accounts - its working |
|
Thanks a ton for the feedback! Merging :) |
|
@haarchri @sergenyalcin @ytsarev Thanks for getting this through. It will be much helpful for us. |
|
How long does it take to get reflected in the upbound marketplace docs ? |
|
The next round of provider releases is due on 29 June. |
|
Hi , I am trying to use cross accounts zoneassociation and it goes in loop creating and deleting association Error Reported something like this |
Description of your changes
vpcselector for Route53 Zone #456ZoneAssociationfor more complex ZoneToVPC associations for a complex casesvpcselector for Route53 Zone #456 (comment) we will still need inlinevpcfield to instantiate private Zone firstvpcselector for Route53 Zone #456 should be merged first so we can ehanceZoneAssociationexampleSigned-off-by: Yury Tsarev [email protected]
I have:
make reviewable testto ensure this PR is ready for review.How has this code been tested
Locally e2e, and full cross-account uptest run, see #463 (comment)