diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 6d14594..02eedd8 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -2,6 +2,11 @@ provider "aws" {
region = "eu-west-1"
}
+provider "aws" {
+ alias = "second_account"
+ region = "us-east-1"
+}
+
locals {
zone_name = sort(keys(module.zones.route53_zone_zone_id))[0]
# zone_id = module.zones.route53_zone_zone_id["terraform-aws-modules-example.com"]
@@ -10,6 +15,10 @@ locals {
azs = slice(data.aws_availability_zones.available.names, 0, 3)
}
+data "aws_region" "second_account_current" {
+ provider = aws.second_account
+}
+
module "zones" {
source = "../../modules/zones"
@@ -45,6 +54,21 @@ module "zones" {
Name = "private-vpc.terraform-aws-modules-example.com"
}
}
+
+ "private-vpc.terraform-aws-modules-example2.com" = {
+ # in case than private and public zones with the same domain name
+ domain_name = "terraform-aws-modules-example2.com"
+ comment = "private-vpc.terraform-aws-modules-example2.com"
+ vpc = [
+ {
+ vpc_id = module.vpc1.vpc_id
+ },
+ ]
+ tags = {
+ Name = "private-vpc.terraform-aws-modules-example2.com"
+ }
+ }
+
}
tags = {
@@ -276,6 +300,28 @@ module "delegation_sets" {
}
}
+
+module "zone_cross_account_vpc_association" {
+ source = "../../modules/zone-cross-account-vpc-association"
+ providers = {
+ aws.r53_owner = aws
+ aws.vpc_owner = aws.second_account
+ }
+
+ zone_vpc_associations = {
+ example = {
+ zone_id = module.zones.route53_zone_zone_id["private-vpc.terraform-aws-modules-example.com"]
+ vpc_id = module.vpc_otheraccount.vpc_id
+ },
+ example2 = {
+ zone_id = module.zones.route53_zone_zone_id["private-vpc.terraform-aws-modules-example2.com"]
+ vpc_id = module.vpc_otheraccount.vpc_id
+ vpc_region = data.aws_region.second_account_current.name
+ },
+ }
+}
+
+
module "resolver_rule_associations" {
source = "../../modules/resolver-rule-associations"
@@ -324,6 +370,12 @@ module "disabled_records" {
create = false
}
+module "disabled_zone_cross_account_vpc_association" {
+ source = "../../modules/zone-cross-account-vpc-association"
+
+ create = false
+}
+
#########
# Extras - should be created in advance
#########
@@ -392,6 +444,15 @@ module "vpc2" {
cidr = "10.1.0.0/16"
}
+module "vpc_otheraccount" {
+ source = "terraform-aws-modules/vpc/aws"
+ provider = aws.second_account
+ version = "~> 5.0"
+
+ name = "my-second-account-vpc-for-private-route53-zone"
+ cidr = "172.16.0.0/12"
+}
+
resource "aws_route53_resolver_rule" "sys" {
domain_name = "sys-example.com"
rule_type = "SYSTEM"
diff --git a/modules/zone-cross-account-vpc-association/README.md b/modules/zone-cross-account-vpc-association/README.md
new file mode 100644
index 0000000..12380ba
--- /dev/null
+++ b/modules/zone-cross-account-vpc-association/README.md
@@ -0,0 +1,76 @@
+# Route53 Zone cross-account VPC association
+
+This module creates cross-account Route53 Zone associations.
+
+It does need two providers to be passed to handle both AWS accounts:
+- `aws.r53_owner`: Account owning the Route53 zones to make the cross-account association authorization
+- `aws.vpc_owner`: Account owning the VPCs to associate with the Route53 zones
+
+Many-to-many associations are possible, using the zone_vpc_associations input variable.
+
+## Usage
+
+### Create Route53 Zone cross-account VPC association
+
+```hcl
+module "zone_cross_account_vpc_association" {
+ source = "terraform-aws-modules/route53/aws//modules/zone-cross-account-vpc-association"
+ version = "~> 3.2"
+ providers = {
+ aws.r53_owner = aws
+ aws.vpc_owner = aws.second_account
+ }
+
+ zone_vpc_associations = {
+ example = {
+ zone_id = "Z111111QQQQQQQ"
+ vpc_id = "vpc-185a3e2f2d6d2c863"
+ },
+ example2 = {
+ zone_id = "Z222222VVVVVVV"
+ vpc_id = "vpc-123456789abcd1234"
+ vpc_region = "us-east-2"
+ },
+ }
+}
+```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.3.2 |
+| [aws](#requirement\_aws) | >= 3.56 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.56 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_route53_vpc_association_authorization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_zone_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [create](#input\_create) | Whether to create Route53 Resolver rule associations | `bool` | `true` | no |
+| [input\_zone\_vpc\_associations](#zone\_vpc\_association) | Map of associations indicating zone_id and vpc_id to associate. | `map(object)` | `{}` | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [route53\_vpc\_association\_authorization\_id](#output\_route53\_vpc\_association\_authorization\_id) | Unique ID of Route53 VPC association authorizations |
+| [route53\_zone\_association\_id](#output\_route53\_zone\_association\_id) | Unique ID of Route53 zone association |
+
diff --git a/modules/zone-cross-account-vpc-association/main.tf b/modules/zone-cross-account-vpc-association/main.tf
new file mode 100644
index 0000000..9f8b160
--- /dev/null
+++ b/modules/zone-cross-account-vpc-association/main.tf
@@ -0,0 +1,15 @@
+resource "aws_route53_vpc_association_authorization" "this" {
+ provider = aws.r53_owner
+ for_each = { for k, v in var.zone_vpc_associations : k => v if var.create }
+ zone_id = each.value.zone_id
+ vpc_id = each.value.vpc_id
+ vpc_region = try(each.value.vpc_region, null)
+}
+
+resource "aws_route53_zone_association" "this" {
+ provider = aws.vpc_owner
+ for_each = aws_route53_vpc_association_authorization.this
+ vpc_id = each.value.vpc_id
+ zone_id = each.value.zone_id
+ vpc_region = try(each.value.vpc_region, null)
+}
diff --git a/modules/zone-cross-account-vpc-association/outputs.tf b/modules/zone-cross-account-vpc-association/outputs.tf
new file mode 100644
index 0000000..1871993
--- /dev/null
+++ b/modules/zone-cross-account-vpc-association/outputs.tf
@@ -0,0 +1,14 @@
+output "aws_route53_vpc_association_authorization_id" {
+ description = "ID of Route53 VPC association authorizations"
+ value = { for k, v in aws_route53_vpc_association_authorization.this : k => v.id }
+}
+
+output "aws_route53_zone_association_id" {
+ description = "ID of Route53 VPC association"
+ value = { for k, v in aws_route53_zone_association.this : k => v.id }
+}
+
+output "aws_route53_zone_association_owning_account" {
+ description = "The account ID of the account that created the hosted zone."
+ value = { for k, v in aws_route53_zone_association.this : k => v.owning_account }
+}
diff --git a/modules/zone-cross-account-vpc-association/variables.tf b/modules/zone-cross-account-vpc-association/variables.tf
new file mode 100644
index 0000000..a6228ed
--- /dev/null
+++ b/modules/zone-cross-account-vpc-association/variables.tf
@@ -0,0 +1,15 @@
+variable "create" {
+ description = "Whether to create Route53 Zone associations"
+ type = bool
+ default = true
+}
+
+variable "zone_vpc_associations" {
+ description = "Map of associations indicating zone_id and vpc_id to associate."
+ type = map(object({
+ zone_id = string
+ vpc_id = string
+ vpc_region = optional(string)
+ }))
+ default = {}
+}
diff --git a/modules/zone-cross-account-vpc-association/versions.tf b/modules/zone-cross-account-vpc-association/versions.tf
new file mode 100644
index 0000000..1437fc9
--- /dev/null
+++ b/modules/zone-cross-account-vpc-association/versions.tf
@@ -0,0 +1,11 @@
+terraform {
+ required_version = ">= 1.3.2"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.56"
+ configuration_aliases = [ aws.r53_owner, aws.vpc_owner ]
+ }
+ }
+}