0

I have a terraform script that deploys a micro-service (let's call it myservice here) which contains a route53 record.

This script works ok in Tokyo region, because this region has all the AWS services required by myservice.

Now I'm going to deploy myservice into to cn-norhthwest-1, which is Ningxia region in China.

Since route53 doesn't exist in AWS China, currently my solution is to manually set the domain name of China's myservice in a normal AWS account (i.e. the AWS account that contains Tokyo, Ohio, Oregon ... regions).

For example, pointing www.myservice.com.cn to a CNAME record of myservice-ningxia-elb-1234567890.cn-northwest-1.elb.amazonaws.com.cn, which is an ELB's domain name in Ningxia region.

How can I automize this process with terraform?

This is my folder structure:

.
├── environments
│   ├── ningxia
│   │   ├── main.tf
│   │   └── versions.tf
│   └── tokyo
│       ├── main.tf
│       └── versions.tf
└── modules
    ├── cloud-init.yaml
    ├── outputs.tf
    ├── myservice.tf
    └── variables.tf

I can create myservice in Tokyo region by running 

cd environments && \
  terraform init && \
  terraform apply

This post shows that we can create aws_route53_zone in cn-northwest-1 region using the following code 

# configure AWS provider for China region. 
provider "aws" {
  region    = "cn-northwest-1"
  access_key    = AK
  secret_key    = SK

  endpoints {
    route53 = "https://api.route53.cn"
  }
}

# create a route 53 pub zone
resource "aws_route53_zone" "test" {

  name = "bobtest3.cn"
  comment = "try to create a pub zone with terraform in China region v2!"
}

How is this possible?

I can't even find route53 in AWS console in Ningxia region.

Brian
  • 12,145
  • 20
  • 90
  • 153
  • 1
    Does https://stackoverflow.com/a/52206826/2291321 answer your question? – ydaetskcoR Feb 26 '20 at 08:03
  • No, "assume role" doesn't work between AWS China account and non-China account. – Brian Feb 26 '20 at 08:32
  • 1
    Do you have any documentation as to that? I was under the impression you just need to use another STS endpoint when assuming roles in the Chinese regions. – ydaetskcoR Feb 26 '20 at 09:11

1 Answers1

0

You could use a custom resource using external data, like this:

data "external" "dns" {
  program = ["${path.module}/dns.sh"]
  query   = {
    region  = "${var.region}"
    profile = "${lower(var.env)}"
    dns  = "dnsname"
  }
}

just write a cli dns.sh that connects to the route53 region to create the record.

victor m
  • 2,012
  • 2
  • 14
  • 23
  • Data sources should not be modifying things. Use a `null_resource` and a `local-exec` provisioner if you are going to do that otherwise it's going to run on every plan or refresh of the state. – ydaetskcoR Feb 27 '20 at 16:54