Support route53resolver

[CliffHoogervorst]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Support for route53resolver https://aws.amazon.com/blogs/aws/new-amazon-route-53-resolver-for-hybrid-clouds/

New or Affected Resource(s)

• aws_route53resolver

Potential Terraform Configuration

References

https://aws.amazon.com/blogs/aws/new-amazon-route-53-resolver-for-hybrid-clouds/

• #0000

[ewbankkit]

It looks like there will potentially be a number of new resources/data sources for Route53 Resolver:

• aws_route53_resolver_endpoint
• aws_route53_resolver_endpoint_ip_address_association Not needed
• aws_route53_resolver_rule
• aws_route53_resolver_rule_association

It would probably be best to have separate issues and PRs for sets of related new resources and maybe use this issue to create the scaffolding needed when any new AWS service is introduced (e.g. additions to config.go and provider.go).

[ewbankkit]

It looks like the AWS SDK support was added in v1.15.77 - #6484.

[gazoakley]

@ewbankkit: Are you planning to work on this? I need aws_route53_resolver_rule to be able to write tests for aws_ram_resource_share (already WIP in #6528). I'm happy to put that together.

[ewbankkit]

@gazoakley Yes, I can get this PRed today. I'll do the minimal changes that will be needed to get the initial set of resources in; Probably just additions to config.go and adding tagsRoute53Resolver.go for shared tagging code.
I'll pull over the commit from your aws-sdk-go PR and ping you when my PR is created so you can pull the commits.
I should be able to get the resolver endpoint resource(s) done under a separate issue/PR.
Many thanks.

[ewbankkit]

@gazoakley Relevant PR is #6554.

[gazoakley]

@ewbankkit: Thanks - I've pulled your change in. Seems like turtles all the way down though, since writing tests that fully exercise aws_route53_resolver_rule is going to need resolver endpoints 😄. I'll push my changes for that as WIP, and pull your changes for resolver endpoints when ready.

[ewbankkit]

@gazoakley The Route 53 Resolver endpoint PR is #6574. Right now there's a limitation on supporting only one ip_address per subnet (which is probably what you'd want anyway). It's still a WIP until we get some resolution on that limitation,

[so0k]

Using this as I need this for a project, I find the way to use intuitive, any ETA on having this merged to master? Any help needed?

resource "aws_security_group" "resolver_isp_public_util" {
  name        = "${module.isp_resolver_label.id}"
  description = "Allow ISP mLink DNS inbound traffic"
  vpc_id      = "${data.terraform_remote_state.shared.production_vpc_id}"

  ingress {
    from_port         = 53
    to_port           = 53
    protocol          = "UDP"
    cidr_blocks       = ["${var.mlink_cidr}"]
  }

  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["0.0.0.0/0"]
  }

  tags = "${module.isp_resolver_label.tags}"
}

resource "aws_route53_resolver_endpoint" "isp_public_util" {
  name      = "${module.isp_resolver_label.id}"
  direction = "INBOUND"
  
  security_group_ids = [
    "${aws_security_group.resolver_isp_public_util.id}",
  ]  
  ip_address {
    subnet_id = "${module.public_subnets_shared.subnet_map["ap-southeast-1a"]}"
    ip        = "${cidrhost(local.public_subnets_shared_zone_cidrs["ap-southeast-1a"], -3)}"
  }
  ip_address {
    subnet_id = "${module.public_subnets_shared.subnet_map["ap-southeast-1b"]}"
    ip        = "${cidrhost(local.public_subnets_shared_zone_cidrs["ap-southeast-1b"], -3)}"
  }
  tags = "${module.isp_resolver_label.tags}"
}

[ewbankkit]

@so0k I just need to get the time to complete the implementation; should be able to do that today.

[so0k]

Great :)

[patryk-dev]

@ewbankkit - any update about this PR? Maybe some help is needed?

[ewbankkit]

@patryk-dev See my comments here.

[rbadillo]

Any updates when this will be available ?

[jdn-za]

Anything I can do to help this along?

[ghost]

Would be glad to hear about updates here! We are currently in need of this functionality...

[bflad]

This will start its full review process after we release version 2.0.0 and a subsequent release with Terraform 0.12 support (potentially version 2.1.0).

[aggallim]

Does that mean it won't be supported in tf 11 and v1.x of the provider? Or just that V12 is keeping you from working on this?

Thanks for the clarification.

[dalvarezquiroga]

Hi,

With provider.aws: version = "~> 2.1" is failed with message:
Resolver endpoint need to have at least 2 IP addresses.
But I have 3 Subnets and I want to put 3 IPs.
You have the same problem? Thanks you.

resource "aws_route53_resolver_endpoint" "inbound_resolver" {
  name      = "Inbound Resolver"
  direction = "INBOUND"

  security_group_ids = [
    "${aws_security_group.route53_resolver_dns.id}",
  ]

  ip_address {
    subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1a.id}"
    ip        = "${var.IP_SUBNET_A}"
  }

  ip_address {
    subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1b.id}"
    ip        = "${var.IP_SUBNET_B}"
  }

  ip_address {
    subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1c.id}"
    ip        = "${var.IP_SUBNET_C}"
  }

  tags {
    Name        = "Inbound Resolver"
    Deployed    = "Terraform"
    Environment = "${var.ENVIRONMENT}"
  }
}

[nywilken]

The aws_route53_resolver_rule and aws_route53_resolver_rule_association resources have been merged and will release with version 2.2.0 of the Terraform AWS Provider, likely later today.

[nywilken]

@dalvarezquiroga thanks for reporting the issue and I'm sorry you are running into trouble. I created a new issue #7942 to track your last comment. Please feel free to update that issue with any relevant information about Terraform or configuration details.

In the meantime, @CliffHoogervorst @ewbankkit I am going to close this issue now that the resolver resources have been merged. Please feel free to reach out if you would like for me to keep it open for further tracking.

[bflad]

This has been released in version 2.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!