cloudfront distribution should export route53 zone_id

[ryanking]

Terraform Version

$ tf version
Terraform v0.6.15

Affected Resource(s)

Please list the resources as a list, for example:

• cloudfront_distribution

Feature request

In order to create a route53 alias you need the zone id. So to create an alias to a cloudfront distribution, we need to have the cloudfront_distribution return its zone id.

[vancluever]

Hey @ryanking, there was a conscious decision to leave this out of the resource, as it is a hardcoded value that is not exposed through the CloudFront API. See #5221 (comment) for the original discussion.

The zone ID is actually global for all CloudFront distributions - Z2FDTNDATAQYW2 - which is documented here.

I'm torn on this - I'm kind of weary of exposing arbitrary constants that are not exposed through the API, but also, at the same time, there seems to be a bit of an expectation that it will be there, from what I've seen from a couple of people here and on IRC, so maybe it's a good idea to have it in as a quality of life feature. I did something similar in cloudfront_origin_access_identity as well.

[radeksimko]

To be fair we do this already for S3 buckets: https://github.com/hashicorp/terraform/blob/master/builtin/providers/aws/resource_aws_s3_bucket.go#L674

I think it's still better to have this hardcoded once in Terraform rather than sprinkled all over user's Terraform configs.

Also we should allow users to build the dependency chain where DNS records will only be created once the CF distribution is created - not simultaneously (which is the case when user hard-codes this IMO).

[apparentlymart]

I would second @radeksimko's opinion here. Having this exposed is expected and intuitive in spite of the fact that we'd be working around a limitation in the native AWS API.

One of the big benefits Terraform provides, in my opinion, is making explicit what would normally be implicit: the relationships between different things are evident to those reading the Terraform configuration, even if they are not 100% familiar with the resource types being described... the reader doesn't have to chase down implicit relationships by noticing that an IP address over here matches with one over there, or whatever.

Just a few days ago one of my co-workers commented on a code review request I'd written asking why I'd hard-coded the zone_id one one alias (for a CloudFront distribution) and not another (for an ELB). He was pretty new to the idea of Route53 aliases anyway, and this was the first time he'd seen a Cloudfront distribution in a Terraform config. I'm pretty sure that the purpose would have been readily apparent and not worthy of question if this had been written in my config:

resource "aws_route53_record" "foo" {
    # ...

    alias {
        name = "${aws_cloudfront_distribution.foo.domain_name}"
        zone_id = "${aws_cloudfront_distribution.foo.zone_id}"
    }
}
resource "aws_route53_record" "origin" {
    # ...

    alias {
        name = "${aws_elb.foo.dns_name}"
        zone_id = "${aws_elb.foo.zone_id}"
    }
}

@radeksimko note that in this case the dependency was already created by referring to aws_cloudfront_distribution.foo.domain_name, so this extra edge is not technically necessary for Terraform but I'd argue that it's much more helpful to humans studying the config to see where this value is coming from and thus infer what it means. It's also easier to review: I can look at the above and believe that it's correct without having to look up an opaque value and confirm that it is what I think it is.

[radeksimko]

so this extra edge is not technically necessary

True, I forgot about that dependency, you're right.

But it's still better to be explicit, as you mentioned.

[ryanking]

Thanks @vancluever for the pointer. I was unable to find that.

At the very least this warrants a docs update. I know terraform pretty well and was unable to figure this out on my own.

On the other hand, exporting the zone, even if hardcoded would make life simpler.

[vancluever]

Hey Guys,

Yeah, it definitely seems like there is a consensus here. The main thing that made me start thinking about this a bit more myself was when someone mentioned the dependency issue on IRC, ie: having the zone ID as an attribute allows a better natural dependency chain between a CloudFront distribution and its Route 53 records.

I can put in a PR soon, if there isn't one already.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.