terraform-aws-modules
diff --git a/‎README.md‎
Lines changed: 46 additions & 0 deletions b/‎README.md‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎examples/complete/README.md‎
Lines changed: 0 additions & 1 deletion b/‎examples/complete/README.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎examples/cross-account/README.md‎
Lines changed: 92 additions & 0 deletions b/‎examples/cross-account/README.md‎
Lines changed: 92 additions & 0 deletions
diff --git a/‎examples/cross-account/main.tf‎
Lines changed: 167 additions & 0 deletions b/‎examples/cross-account/main.tf‎
Lines changed: 167 additions & 0 deletions
@@ -188,6 +188,49 @@ module "zone" {
 }
 ```
 
+### Cross Account Zone Association
+
+> [!NOTE]
+> Association (`aws_route53_zone_association`) must be performed by the account that owns the VPC.
+>
+> Association authorization (`aws_route53_vpc_association_authorization`) must be performed by the account that owns the zone.
+>
+> Hence why the `aws_route53_zone_association` resource is *outside* the scope of the module, but the authorization (`aws_route53_vpc_association_authorization`) is *inside* the scope of the module.
+
+```hcl
+module "zone" {
+  source = "terraform-aws-modules/route53/aws"
+
+  name    = "terraform-aws-modules-example.com"
+  comment = "Private zone for terraform-aws-modules example"
+
+  # Ignore VPC after creation to avoid disruptive diff with associations
+  ignore_vpc = true
+  vpc = {
+    default = {
+      vpc_id     = "vpc-1234556abcdef"
+      vpc_region = "eu-west-1"
+    }
+  }
+
+  vpc_association_authorizations = {
+    external = {
+      vpc_id     = "vpc-987564fedcba"
+      vpc_region = "eu-west-1"
+    }
+    external_region = {
+      vpc_id     = "vpc-1a2b3c4d56e7f8"
+      vpc_region = "us-east-1"
+    }
+  }
+
+  tags = {
+    Environment = "example"
+    Project     = "terraform-aws-route53"
+  }
+}
+```
+
 ## Sub-Modules
 
 The following independent sub-modules are available:
@@ -201,6 +244,7 @@ See the respective module directories for examples and documentation.
 ## Examples
 
 - [Complete](https://github.com/terraform-aws-modules/terraform-aws-route53/tree/master/examples/complete)
+- [Cross Account](https://github.com/terraform-aws-modules/terraform-aws-route53/tree/master/examples/cross-account)
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
@@ -230,6 +274,7 @@ See the respective module directories for examples and documentation.
 | [aws_route53_key_signing_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_key_signing_key) | resource |
 | [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_vpc_association_authorization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_zone.ignore_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
 | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
 | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 
@@ -248,6 +293,7 @@ See the respective module directories for examples and documentation.
 | <a name="input_dnssec_kms_key_tags"></a> [dnssec\_kms\_key\_tags](#input\_dnssec\_kms\_key\_tags) | Additional tags to apply to the KMS key created for DNSSEC signing | `map(string)` | `{}` | no |
 | <a name="input_enable_dnssec"></a> [enable\_dnssec](#input\_enable\_dnssec) | Whether to enable DNSSEC for the Route53 zone | `bool` | `false` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Whether to destroy all records (possibly managed outside of Terraform) in the zone when destroying the zone | `bool` | `null` | no |
+| <a name="input_ignore_vpc"></a> [ignore\_vpc](#input\_ignore\_vpc) | Determines whether to ignore VPC association changes after creation to avoid disruptive diffs when using `aws_route53_zone_association` resource(s). Changing is a destructive action; users should be prepared to use Terraform state move commands/blocks when changing this value | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | This is the name of the hosted zone | `string` | `""` | no |
 | <a name="input_private_zone"></a> [private\_zone](#input\_private\_zone) | Whether the hosted zone is private. Only applicable when `create_zone = false` | `bool` | `false` | no |
 | <a name="input_records"></a> [records](#input\_records) | A map of Route53 records to create in the zone. The key can be used as the subdomain name, or `name` can be used to specify the full name | <pre>map(object({<br/>    alias = optional(object({<br/>      evaluate_target_health = optional(bool, false)<br/>      name                   = string<br/>      zone_id                = string<br/>    }))<br/>    allow_overwrite = optional(bool)<br/>    cidr_routing_policy = optional(object({<br/>      collection_id = string<br/>      location_name = string<br/>    }))<br/>    failover_routing_policy = optional(object({<br/>      type = string<br/>    }))<br/>    geolocation_routing_policy = optional(object({<br/>      continent   = optional(string)<br/>      country     = optional(string)<br/>      subdivision = optional(string)<br/>    }))<br/>    geoproximity_routing_policy = optional(object({<br/>      aws_region = optional(string)<br/>      bias       = optional(number)<br/>      coordinates = optional(list(object({<br/>        latitude  = number<br/>        longitude = number<br/>      })))<br/>      local_zone_group = optional(string)<br/>    }))<br/>    health_check_id = optional(string)<br/>    latency_routing_policy = optional(object({<br/>      region = string<br/>    }))<br/>    multivalue_answer_routing_policy = optional(bool)<br/>    name                             = optional(string)<br/>    full_name                        = optional(string)<br/>    records                          = optional(list(string))<br/>    set_identifier                   = optional(string)<br/>    ttl                              = optional(number)<br/>    type                             = string<br/>    weighted_routing_policy = optional(object({<br/>      weight = number<br/>    }))<br/>    timeouts = optional(object({<br/>      create = optional(string)<br/>      update = optional(string)<br/>      delete = optional(string)<br/>    }))<br/>  }))</pre> | `{}` | no |
 
@@ -2,7 +2,6 @@
 
 Configuration in this directory creates:
 
-
 ## Usage
 
 To run this example you need to execute:
 
@@ -0,0 +1,92 @@
+# Cross Account Route53 Zone Association
+
+Configuration in this directory creates:
+
+- A Route53 Private Hosted Zone w/ associated VPC in one AWS account
+- A VPC in another AWS account, associated to the Private Hosted Zone in the first account
+- A VPC in another AWS account and region, associated to the Private Hosted Zone in the first account
+
+> [!NOTE]
+> Association (`aws_route53_zone_association`) must be performed by the account that owns the VPC.
+>
+> Association authorization (`aws_route53_vpc_association_authorization`) must be performed by the account that owns the zone.
+>
+> Hence why the `aws_route53_zone_association` resource is *outside* the scope of the module, but the authorization (`aws_route53_vpc_association_authorization`) is *inside* the scope of the module.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which will incur monetary charges on your AWS bill. Run `terraform destroy` when you no longer need these resources.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.3 |
+| <a name="provider_aws.external"></a> [aws.external](#provider\_aws.external) | >= 6.3 |
+| <a name="provider_aws.external_region"></a> [aws.external\_region](#provider\_aws.external\_region) | >= 6.3 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
+| <a name="module_vpc_external"></a> [vpc\_external](#module\_vpc\_external) | terraform-aws-modules/vpc/aws | ~> 6.0 |
+| <a name="module_vpc_external_region"></a> [vpc\_external\_region](#module\_vpc\_external\_region) | terraform-aws-modules/vpc/aws | ~> 6.0 |
+| <a name="module_zone"></a> [zone](#module\_zone) | ../.. | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_route53_zone_association.external](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.external_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_availability_zones.external_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_external_account_role_arn"></a> [external\_account\_role\_arn](#input\_external\_account\_role\_arn) | The ARN of the role to assume in the external account containing the VPC to be associated to the Route53 private zone | `string` | `"YOU MUST PROVIDE THIS VALUE"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_zone_arn"></a> [zone\_arn](#output\_zone\_arn) | Zone ARN of Route53 zone |
+| <a name="output_zone_dnssec_kms_key_arn"></a> [zone\_dnssec\_kms\_key\_arn](#output\_zone\_dnssec\_kms\_key\_arn) | The Amazon Resource Name (ARN) of the key |
+| <a name="output_zone_dnssec_kms_key_id"></a> [zone\_dnssec\_kms\_key\_id](#output\_zone\_dnssec\_kms\_key\_id) | The globally unique identifier for the key |
+| <a name="output_zone_dnssec_kms_key_policy"></a> [zone\_dnssec\_kms\_key\_policy](#output\_zone\_dnssec\_kms\_key\_policy) | The IAM resource policy set on the key |
+| <a name="output_zone_dnssec_kms_key_region"></a> [zone\_dnssec\_kms\_key\_region](#output\_zone\_dnssec\_kms\_key\_region) | The region for the key |
+| <a name="output_zone_dnssec_signing_key_digest_value"></a> [zone\_dnssec\_signing\_key\_digest\_value](#output\_zone\_dnssec\_signing\_key\_digest\_value) | A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system |
+| <a name="output_zone_dnssec_signing_key_dnskey_record"></a> [zone\_dnssec\_signing\_key\_dnskey\_record](#output\_zone\_dnssec\_signing\_key\_dnskey\_record) | A string that represents a DNSKEY record |
+| <a name="output_zone_dnssec_signing_key_ds_record"></a> [zone\_dnssec\_signing\_key\_ds\_record](#output\_zone\_dnssec\_signing\_key\_ds\_record) | A string that represents a delegation signer (DS) record |
+| <a name="output_zone_dnssec_signing_key_id"></a> [zone\_dnssec\_signing\_key\_id](#output\_zone\_dnssec\_signing\_key\_id) | Route 53 Hosted Zone identifier and KMS Key identifier, separated by a comma (`,`) |
+| <a name="output_zone_dnssec_signing_key_public_key"></a> [zone\_dnssec\_signing\_key\_public\_key](#output\_zone\_dnssec\_signing\_key\_public\_key) | The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5 |
+| <a name="output_zone_dnssec_signing_key_tag"></a> [zone\_dnssec\_signing\_key\_tag](#output\_zone\_dnssec\_signing\_key\_tag) | An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B |
+| <a name="output_zone_id"></a> [zone\_id](#output\_zone\_id) | Zone ID of Route53 zone |
+| <a name="output_zone_name"></a> [zone\_name](#output\_zone\_name) | Name of Route53 zone |
+| <a name="output_zone_name_servers"></a> [zone\_name\_servers](#output\_zone\_name\_servers) | Name servers of Route53 zone |
+| <a name="output_zone_primary_name_server"></a> [zone\_primary\_name\_server](#output\_zone\_primary\_name\_server) | The Route 53 name server that created the SOA record. |
+| <a name="output_zone_records"></a> [zone\_records](#output\_zone\_records) | Records created in the Route53 zone |
+<!-- END_TF_DOCS -->
+
+## License
+
+Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-ecs/blob/master/LICENSE).
@@ -0,0 +1,167 @@
+provider "aws" {
+  region = local.region
+}
+
+provider "aws" {
+  alias  = "external"
+  region = local.region
+
+  assume_role {
+    role_arn     = var.external_account_role_arn
+    session_name = "terraform-aws-route53-example"
+  }
+}
+
+provider "aws" {
+  alias  = "external_region"
+  region = local.external_region
+
+  assume_role {
+    role_arn     = var.external_account_role_arn
+    session_name = "terraform-aws-route53-example"
+  }
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  region          = "eu-west-1"
+  external_region = "us-east-1"
+
+  name = "ex-${basename(path.cwd)}"
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  tags = {
+    Name       = local.name
+    Example    = local.name
+    Repository = "https://github.com/terraform-aws-modules/terraform-aws-route53"
+  }
+}
+
+################################################################################
+# Zone Account
+################################################################################
+
+module "zone" {
+  source = "../.."
+
+  name    = "terraform-aws-modules-example.com"
+  comment = "Private zone for terraform-aws-modules example"
+
+  # Ignore VPC after creation to avoid disruptive diff with associations
+  ignore_vpc = true
+  vpc = {
+    default = {
+      vpc_id     = module.vpc.vpc_id
+      vpc_region = local.region
+    }
+  }
+
+  vpc_association_authorizations = {
+    external = {
+      vpc_id     = module.vpc_external.vpc_id
+      vpc_region = local.region
+    }
+    external_region = {
+      vpc_id     = module.vpc_external_region.vpc_id
+      vpc_region = local.external_region
+    }
+  }
+
+  tags = local.tags
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 6.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+
+  enable_nat_gateway = false
+
+  tags = local.tags
+}
+
+################################################################################
+# External Account
+################################################################################
+
+module "vpc_external" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 6.0"
+
+  providers = {
+    aws = aws.external
+  }
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+
+  enable_nat_gateway = false
+
+  tags = local.tags
+}
+
+# Association (`aws_route53_zone_association`) must be performed by the account that owns the VPC.
+# Association authorization (`aws_route53_vpc_association_authorization`) must be performed by the account that owns the zone.
+# Hence why the `aws_route53_zone_association` resource is *outside* the scope of the module, but the authorization
+# (`aws_route53_vpc_association_authorization`) is *inside* the scope of the module.
+resource "aws_route53_zone_association" "external" {
+  provider = aws.external
+
+  zone_id    = module.zone.id
+  vpc_id     = module.vpc_external.vpc_id
+  vpc_region = local.region
+}
+
+################################################################################
+# External Account - different region
+################################################################################
+
+data "aws_availability_zones" "external_region" {
+  provider = aws.external_region
+}
+
+locals {
+  ext_reg_azs = slice(data.aws_availability_zones.external_region.names, 0, 3)
+}
+
+module "vpc_external_region" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 6.0"
+
+  providers = {
+    aws = aws.external_region
+  }
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.ext_reg_azs
+  private_subnets = [for k, v in local.ext_reg_azs : cidrsubnet(local.vpc_cidr, 4, k)]
+
+  enable_nat_gateway = false
+
+  tags = local.tags
+}
+
+# Association (`aws_route53_zone_association`) must be performed by the account that owns the VPC.
+# Association authorization (`aws_route53_vpc_association_authorization`) must be performed by the account that owns the zone.
+# Hence why the `aws_route53_zone_association` resource is *outside* the scope of the module, but the authorization
+# (`aws_route53_vpc_association_authorization`) is *inside* the scope of the module.
+resource "aws_route53_zone_association" "external_region" {
+  provider = aws.external_region
+
+  zone_id    = module.zone.id
+  vpc_id     = module.vpc_external_region.vpc_id
+  vpc_region = local.external_region
+}