[New Service]: Route53 Profiles

[rubenandre]

Description

With Route 53 Profiles, you can apply and manage DNS-related Route 53 configurations across many VPCs and in different AWS accounts. Profiles make managing the DNS settings for many VPCs as easy as managing them for a single VPC and when you update a Profile, its settings are propagated to all the VPCs associated to the Profile. You can also share a Profile with AWS accounts in the same Regions by using AWS RAM. (extracted from: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/profiles.html)

Requested Resource(s) and/or Data Source(s)

Resources:

• aws_route53profiles_profile -> Creates an empty route53 profile
• aws_route53profiles_resource_association -> Associates DNS FW rule, private hosted zones or resolver rules to the route53 profile
• aws_route53profiles_association -> Associates the Route53 profile to the VPC (at the moment only supports vpc's even tough the property is called ResourceId - so I'm a little bit dubious what should be named this resource)

Data Sources:

• aws_route53profiles_profile
• aws_route53profiles_association
• aws_route53profiles_resource_association

Potential Terraform Configuration

resource "aws_route53profiles_profile" "example" {
  name = "my-profile"
  tags = {}
}

resource "aws_route53profiles_resource_association" "dns_firewall_rule" {
  name                = "my-dns-firewall-rule"
  profile_id          = aws_route53profiles_profile.example.id
  resource_arn        = "arn:aws:route53resolver:us-east-1:123456789012:firewall-rule-group/rslvr-frg-cfe7f72example"
  resource_properties = "{\"priority\": 102}"
}

resource "aws_route53profiles_association" "example" {
  name        = "my-vpc-association"
  profile_id  = aws_route53profiles_profile.example.id
  resource_id = "vpc-0af3b96b3example"
  tags        = {}
}

data "aws_route53profiles_profile" "example" {
  profile_id = "rp-4987774726example"
}

data "aws_route53profiles_association" "example" {
  profile_association_id = "rpassoc-489ce212fexample"
}

data "aws_route53profiles_resource_association" "example" {
  profile_resource_association_id = "rpr-001913120a7example"
}

References

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/profiles.html

Resources:

https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_CreateProfile.html (aws_route53profiles_profile)
https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html (aws_route53profiles_resource_association)
https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateProfile.html (aws_route53profiles_association)

Data Sources:
https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_GetProfile.html (aws_route53profiles_profile)
https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_GetProfileAssociation.html (aws_route53profiles_association)
https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_GetProfileResourceAssociation.html (aws_route53profiles_resource_association)

• Announcement
• Blog post
• Blog post

Would you like to implement a fix?

Yes

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[pablo19sc]

@rubenandre hi! are you working on this? We were thinking on adding the support for this feature, so happy to own it or support you if you are already working on it.

[rubenandre]

@pablo19sc hi! I worked on the service client for it. Yesterday I started to work on the first resource aws_route53profiles_profile. but I'm still trying to be more acquainted with the codebase and grasp the direction for new resources, if it's preferred to go with "terraform plugin framework" or if SDKv2 it's still acceptable.

I'd be happy to work with you on these features, but since I'm quite new to this codebase, I totally understand if you prefer to go full-on this.

Edit: Add strike-through to elements already grasped. The implementation of the first resource aws_route53profiles_profile was made in bellow attached PR using Terraform Plugin Framework.

If someone pretend to start the creation of the other resources, let me know so we could join synergies together, and avoid dual work.

[RubenFr]

@rubenandre - Is there any update on this feature?

[aristosvo]

Hi! Just to give a small update - I contacted the HC AWS provider team and they will almost certainly take this up next quarter, based on the popularity/👍🏽s on this issue. @rubenandre is dependent on their review on #37124.

[aristosvo]

@rubenandre I extended your work a bit in #38172, which is very much WIP but already has working tests for the two association resources. Hope you wouldn't mind!

[rubenandre]

@aristosvo Thank you very much. I'll not be able to move further with other resources.
The Route53 profiles solution has a salty price for the use case that the company I belong to has.

[ajoline]

Glad to see this is being tracked. Do we have any guidance on if this feature is indeed slated to be worked next quarter? I have a critical multi-account use case I am trying to establish automation for.

[claytonolley]

Does it normally take this long to get new features added into this provider? Has anyone tried deploying this with the new awscc provider? I also have an imminent need for this functionality.

[tdiener01]

Yes its a bit odd that its taken this long (several months) for this feature to be added in. #38172 is the more current PR for these resources and seems very close to being merged, but that one has been sitting idle for some time.

[aristosvo]

Hi @claytonolley @tdiener01 @ajoline 👋!

I've checked again, no commitment but it is on the list of things they will pick up provided there is good progress. Best way to show the need is still adding your '👍' on the issue.

I will try to keep the PR up to date on the newest developments in the provider, you can always start with a build based on a fork of my branch.

[alexjfisher]

Has anyone tried deploying this with the new awscc provider?

Yes! Worked perfectly for me.

[PacoVK]

Has anyone tried deploying this with the new awscc provider?

Yes! Worked perfectly for me.

Also thought about that, but seems like you cannot narrow down the permissions for Cloud Control to only manage certain service/ resources in an account. Hence, the role that gets the necessary Cloud Control permissions will be able to create any resource available on awscc, right?

I am referring to the Security in AWS Cloud Control API

[alexjfisher]

Has anyone tried deploying this with the new awscc provider?

Yes! Worked perfectly for me.

Also thought about that, but seems like you cannot narrow down the permissions for Cloud Control to only manage certain service/ resources in an account. Hence, the role that gets the necessary Cloud Control permissions will be able to create any resource available on awscc, right?

I am referring to the Security in AWS Cloud Control API

Thanks for this information. I've only used it in a dev environment so far, where the IAM role I use to deploy isn't very restricted. Looks like this could be an issue for me later...

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[Pacobart]

Feature now exists in latest aws provider release: https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.71.0

[github-actions]

This functionality has been released in v5.72.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!