aws_route53_vpc_association_authorization - is this working as intended?

[kennyche]

Terraform version:
terraform_0.13.0
terraform_0.12.1

Issue: Following the documentation example works fine. However, i think this moves away from the actual real world example of a cross account vpc that has not been created by the terraform plan initiating the authorization. If you try and associate a vpc created outside the authorizing account, I still get a 401 saying that the authorizing account does not have rights to associate the vpc from the other aws account to the authorizing accounts private zone, even though the authorization resource has been created.

aws_route53_vpc_association_authorization.primary: Creating...
aws_route53_vpc_association_authorization.primary: Creation complete after 2s [id=ZXYZREDACTED:vpc-001THATACCOUNT]
aws_route53_zone_association.primary: Creating...
Error: error associating Route 53 Hosted Zone (ZXYZREDACTED) to EC2 VPC (vpc-001THATACCOUNT): NotAuthorizedException: User: arn:aws:iam::THISACCOUNT is not authorized to perform: route53:AssociateVPCWithHostedZone on resource: arn:aws:ec2:eu-west-2:THISACCOUNT:vpc/vpc-001THATACCOUNT
        status code: 401, request id: xxx

#14215
#12362

Im guessing the issue is here... arn:aws:ec2:eu-west-2:THISACCOUNT:vpc/vpc-001THATACCOUNT

The only difference from the example in the documentation is that the second accounts vpc is not created in the same tf plan .

provider "aws" {
}

provider "aws" {
  alias = "alternate"
}

resource "aws_vpc" "example" {
  cidr_block           = "10.6.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true
}

resource "aws_route53_zone" "example" {
  name = "example.com"

  vpc {
    vpc_id = aws_vpc.example.id
  }
}

resource "aws_route53_vpc_association_authorization" "example" {
  vpc_id  = data.terraform_remote_state.THATACCOUNT.outputs.vpc_id
  zone_id = aws_route53_zone.example.id
}

resource "aws_route53_zone_association" "example" {
  provider = "aws.alternate"

  vpc_id  = aws_route53_vpc_association_authorization.example.vpc_id
  zone_id = aws_route53_vpc_association_authorization.example.zone_id
}

[lindu-dd]

any update on this? I'm encounter the same issue

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.