bright-magician-13023
05/21/2024, 2:09 PMaws:servicediscovery:PrivateDnsNamespace
in an different account from the one where the VPC was created:
1. pulumi stack proj1/dev
deployed on account A
a. I created the vpc and subnets in account A by deploying the pulumi stack project1/dev
b. the subnets are shared using aws:ram:ResourceShare
and aws:ram:ResourceAssociation
with account B
c. the subnet and VPC IDs are exportes as outputs
2. pulumi stack proj2/dev
deployed on account B
a. load the SubnetIDs and VPC id from the other project output
b. declare a aws.servicediscovery.PrivateDnsNamespace
and pass the VPC ID test_sd = aws.servicediscovery.PrivateDnsNamespace("service-dicc", vpc=vpc_exp_id, name="testme")
I'm getting this erro:
aws:servicediscovery:PrivateDnsNamespace (service-disc):
error: 1 error occurred:
* waiting for Service Discovery Private DNS Namespace (testme) create: unexpected state 'FAIL', wanted target 'SUCCESS'. last error: CANNOT_CREATE_HOSTED_ZONE: The VPC: vpc-exampleddd2c4efed in region us-east-2 that you provided is not authorized to make the association. (Service: AmazonRoute53; Status Code: 400; Error Code: InvalidVPCId; Request ID: example-019e-45ff-958a-example; Proxy: null)
it seems like, in order to allow a vpc to make the correct request to route 53, it needs to be authorised, but I can't do that as the vpc is defined in a separate stack...
any idea how to resolve this issue?little-cartoon-10569
05/21/2024, 8:23 PMbright-magician-13023
05/21/2024, 11:01 PMPrivateDnsNamespace
resurce:
test_sd = aws.servicediscovery.PrivateDnsNamespace(
"service-disc",
vpc=vpc_exp_id,
name="testme")
Is there a way to specify how to create the association?little-cartoon-10569
05/22/2024, 1:52 AMbright-magician-13023
05/28/2024, 9:49 AMPrivateDnsNamespace
resource itself and associated to the VPC in the other account
here's a workaround other people with similar problem have come up with:
https://github.com/aws/aws-app-mesh-examples/issues/432#issuecomment-1431242660
the workaround, although not perfect, is easy enoug to implement
# using the first provider on account 1
vpc_mock = Vpc(..., opts=ResourceOptions(provider=provider1))
namespace = PrivateDnsNamespace(..., vpc=mock_vpc.id, opts=ResourceOptions(provider=provider1))
association_authorization = VpcAssociationAuthorization(...,
vpc=other_vpc_id,
zone_id=namespace.hosted_zone,
opts=ResourceOptions(provider=provider1))
# using the second provider in account 2
association = ZoneAssociation(...,
zone_id=self.namespace.hosted_zone,
vpc_id=self.cross_args.vpc_id,
opts=pulumi.ResourceOptions(provider=provider2))