Route53 Private Hosted Zone VPC Association Authorizations

[liam-reilly]

In order to associate a Source Accounts VPC with a Private Hosted Zone in a separate Target Account you need to first create a VPC Association Authorization. Then once this is in place you can go ahead and create the VPC Association.

In Terraform this is simple. The two blocks of code are almost identical.

ASSOCIATION: (deployed to the Source Account)

resource "aws_route53_zone_association" "source_acc_private_hosted_zone_association" {
  vpc_id  = "SOURCE_ACC_VPC_ID"
  zone_id = "TARGET_ACC_PHZ_ID"
}

AUTHORIZATION:(deployed to the Target Account)

resource "aws_route53_vpc_association_authorization" "target_acc_private_hosted_zone_association_authorization" {
  vpc_id  = "SOURCE_ACC_VPC_ID"
  zone_id = "TARGET_ACC_PHZ_ID"
}

I'm trying to do the same thing using CDK but if I'm understanding this correctly it looks like I can ASSOCIATE a VPC with a HostedZone using the addVpc() method. (Although I'm not certain this will work across accounts?) but I do not see any method in either the Route53 or Vpc API's for creating the Authorizations.

The AWS docs seem only to recommend using the CLI commands create-vpc-association-authorization and delete-vpc-association-authorization.

Am I missing something obvious or does this really not exist in CDK?

Do I have no choice but to create a Custom Construct/Resource to create and delete these Authorizations or simply use the CLI?

[liam-reilly]

I found an alternative way to do this using a mixture of CDK and the SDK. Seems OK if there is no direct way to do this in CDK?

export class PrivateHostedZoneVpcAssociationAuthorizationStack extends Stack {
    constructor(scope: Construct, id: string, props: PrivateHostedZoneVpcAssociationAuthorizationStackProps) {
        super(scope, id, props);

        const { domain, env, vpcId } = props

        const targetPHZ = HostedZone.fromLookup(this, "private-hosted-zone", {
            domainName: domain,
            privateZone: true
        })

        const params = {
            HostedZoneId:targetPHZ.hostedZoneId,
            VPC: {
                VPCId: vpcId,
                VPCRegion: env?.region
            }
        };

        // Drop to SDK to create the VPC Association Authorization
        // because CDK seems to have no direct way of creating these
        new Route53().createVPCAssociationAuthorization(params, (err, data) => {
            if (err) {
                new CfnOutput(this, "route53PhzVpcAssocAuthResult", {
                    description: "The result of a Route53 Private Hosted Zone VPC Association Authorization.",
                    exportName: "ERROR",
                    value: JSON.stringify(err) || "Nothing here...Investigate as this shouldn't happen!"
                })
            }
            new CfnOutput(this, "route53PhzVpcAssocAuthResult", {
                description: "The result of a Route53 Private Hosted Zone VPC Association Authorization.",
                exportName: "SUCCESS",
                value: JSON.stringify(data) || "Created"
            })
        })
    }
}

[gregory-dan]

I'm facing the same issue, I wonder if you found a pure CDK solution?

[liam-reilly]

Unfortunately not.