providers/aws: resource aws_route53_zone_association

[pmoust]

wip adding aws_route53_zone_association as

resource "aws_route53_zone_association" "foobar" {
    vpc_id  = "foo"
    zone_id = "bar"
    region  = "us-west-2"
}

[pmoust]

this is a rough sketch.
Acceptance tests for said resource fail, with

2015/05/06 19:02:33 [DEBUG] apply: aws_route53_zone_association.main: executing Apply
2015/05/06 19:02:33 [DEBUG] Associating Route53 Private Zone Z30XALNXG6G1O6 with VPC vpc-908707f5
2015/05/06 19:02:34 [DEBUG] root: eval: *terraform.EvalWriteState
2015/05/06 19:02:34 [DEBUG] root: eval: *terraform.EvalApplyProvisioners
2015/05/06 19:02:34 [DEBUG] root: eval: *terraform.EvalIf
2015/05/06 19:02:34 [DEBUG] root: eval: *terraform.EvalWriteDiff
2015/05/06 19:02:34 [DEBUG] root: eval: *terraform.EvalIf
2015/05/06 19:02:34 [DEBUG] root: eval: *terraform.EvalWriteState
2015/05/06 19:02:34 [DEBUG] root: eval: *terraform.EvalApplyPost
2015/05/06 19:02:34 [ERROR] root: eval: *terraform.EvalApplyPost, err: 1 error(s) occurred:

* PublicZoneVPCAssociation: Attempting to associate public zone: 5000302711 with vpc: vpc-908707f5
2015/05/06 19:02:34 [ERROR] root: eval: *terraform.EvalSequence, err: 1 error(s) occurred:

[kendawg2]

@pmoust @catsby This may be AWS related. Not sure about the API, but if a zone is created outside of a VPC, it is made a public zone. It cannot (from the console) be made private or associated with a VPC after it is made public. In a previous PR related to this same functionality, the VPC was assigned when the zone was created and it automatically made it private vs public. By creating the zone, then associating it to a VPC, I fear that may be an illegal action (taking from public when it is created to private by associating it to a VPC). I may be wrong, but this is not possible from the console.

[kendawg2]

@pmoust @catsby I have been able to confirm that the zone you are attempting to associate must already exist as a private zone before you can associate it with a VPC which means it must be associated with a VPC at the time of it's creation. So, either you will have to add VPC.id and region to the zone when it is created in the fist place (essentially eliminating the need for zone association within the terraform file that created the zone). Or you will need to to make sure this is called first and if the zone doesn't exist, then create it with this VPC and region associated with it. #1159 provided this functionality. Once the zone is created and already associated with some VPC, then this would be applicable as far as I can tell. Even if you do associate it with another VPC first, it must be in the same region in order for this to work.

[pmoust]

And this might explain the acc test failure. Need to add the private zone definition on parent resource as well, as you mentioned!

[kendawg2]

There is relevance to #1526 on this.

[pmoust]

@kendawg2 I cherry picked the #1526 changes in it.

[pmoust]

@catsby please take a look at the acceptance test panicking.

Also we could just remove the aws_route53_zone_association and make the vpc_id a list of strings if we feel adding an extra resource is counter-intuitive against AWS Route53 API

@kendawg2 / @johnrengelman thoughts?

[kendawg2]

@pmoust I think having a zone association resource is OK for use when a Zone already exists. So this is kind of a two part process. When the zone is created, it needs to be associated with a VPC. If it is created in a plan that also creates the same VPC, then an association isn't needed. However, if a subsequent plan needs to use the same zone file, it would use an association resource rather than create the zone. Or, if you are creating multiple VPC's in the same plan that all need the same zone file, then an association resource would be needed. I would start with the basic create a private zone associated with a single VPC. Let's get that working and then add the association separately. I think the basic private zone associated with only one VPC covers the 99% case, but the other is important as well.

[johnrengelman]

I've pulled these changes into my PR and am working out some bugs. Having some problems with testing cross-region stuff. Should have this finished tonight/tomorrow.

[johnrengelman]

@pmoust - I've merged these changes into my branch for #1526 and got the acceptance tests passing.

[pmoust]

Closing in favor of #1526

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.