Hi all... I have a problem setting up a

aws:servicediscovery:PrivateDnsNamespace

in an different account from the one where the VPC was created: 1. pulumi stack

proj1/dev

deployed on account A a. I created the vpc and subnets in account A by deploying the pulumi stack

project1/dev

b. the subnets are shared using

aws:ram:ResourceShare

and

aws:ram:ResourceAssociation

with account B c. the subnet and VPC IDs are exportes as outputs 2. pulumi stack

proj2/dev

deployed on account B a. load the SubnetIDs and VPC id from the other project output b. declare a

aws.servicediscovery.PrivateDnsNamespace

and pass the VPC ID

test_sd = aws.servicediscovery.PrivateDnsNamespace("service-dicc", vpc=vpc_exp_id, name="testme")

I'm getting this erro:

aws:servicediscovery:PrivateDnsNamespace (service-disc):
    error: 1 error occurred:
        * waiting for Service Discovery Private DNS Namespace (testme) create: unexpected state 'FAIL', wanted target 'SUCCESS'. last error: CANNOT_CREATE_HOSTED_ZONE: The VPC: vpc-exampleddd2c4efed in region us-east-2 that you provided is not authorized to make the association. (Service: AmazonRoute53; Status Code: 400; Error Code: InvalidVPCId; Request ID: example-019e-45ff-958a-example; Proxy: null)

it seems like, in order to allow a vpc to make the correct request to route 53, it needs to be authorised, but I can't do that as the vpc is defined in a separate stack... any idea how to resolve this issue?

Make the association in the correct account. There is no requirement to use only one account in a particular stack. Create a provider for the correct account, and use it when creating the Privates namespace, and any other resources that need to be in that account.

hi @little-cartoon-10569 thanks so much for the response... ok, that makes a lot of sense... however, how would I create an association to the correct account with this resource? the association is not created explicitly, but as part of the

PrivateDnsNamespace

resurce:

test_sd = aws.servicediscovery.PrivateDnsNamespace(
  "service-disc",
  vpc=vpc_exp_id,
  name="testme")

Is there a way to specify how to create the association?

It's not a "how", more of a "where". You need to pass an explicit provider to the opts parameter. Read more here (click on your preferred language): https://www.pulumi.com/docs/concepts/options/provider/

@little-cartoon-10569 thanks for the responses... I did get that, but my problem is that the hosted zone is created by the

PrivateDnsNamespace

resource itself and associated to the VPC in the other account here's a workaround other people with similar problem have come up with: https://github.com/aws/aws-app-mesh-examples/issues/432#issuecomment-1431242660 the workaround, although not perfect, is easy enoug to implement

# using the first provider on account 1
vpc_mock = Vpc(..., opts=ResourceOptions(provider=provider1))
namespace = PrivateDnsNamespace(..., vpc=mock_vpc.id, opts=ResourceOptions(provider=provider1))
association_authorization = VpcAssociationAuthorization(...,
    vpc=other_vpc_id,
    zone_id=namespace.hosted_zone,
    opts=ResourceOptions(provider=provider1))

# using the second provider in account 2
association = ZoneAssociation(..., 
    zone_id=self.namespace.hosted_zone,
    vpc_id=self.cross_args.vpc_id,
    opts=pulumi.ResourceOptions(provider=provider2))