fix(vpc): support only one route53 resolver profile association

Author: posquit0

modules/vpc/README.md

@@ -80,7 +80,7 @@ This module creates following resources.
 | <a name="input_network_address_usage_metrics_enabled"></a> [network\_address\_usage\_metrics\_enabled](#input\_network\_address\_usage\_metrics\_enabled) | (Optional) Whether NAU (Network Address Usage) metrics are enabled for the VPC. Defaults to `false`. | `bool` | `false` | no |
 | <a name="input_region"></a> [region](#input\_region) | (Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region. | `string` | `null` | no |
 | <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.<br/>    (Optional) `enabled` - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to `true`.<br/>    (Optional) `name` - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. If not provided, a name will be generated using the module name and instance name.<br/>    (Optional) `description` - The description of Resource Group. Defaults to `Managed by Terraform.`. | <pre>object({<br/>    enabled     = optional(bool, true)<br/>    name        = optional(string, "")<br/>    description = optional(string, "Managed by Terraform.")<br/>  })</pre> | `{}` | no |
-| <a name="input_route53_resolver"></a> [route53\_resolver](#input\_route53\_resolver) | (Optional) A configuration for Route53 Resolver in the VPC. `route53_resolver` as defined below.<br/>    (Optional) `enabled` - Whether DNS resolution through the Route53 Resolver (the Amazon DNS server) is supported for the VPC. Defaults to `true`.<br/>    (Optional) `private_hosted_zones` - A set of private Hosted Zone IDs to associate with the VPC.<br/>    (Optional) `profile_associations` - A list of configurations for Route53 Profile associations with the VPC. Each block of `profile_associations` as defined below.<br/>      (Required) `name` - The name of the resource association with the Route53 profile.<br/>      (Required) `profile` - The ID of the Route53 profile to associate with.<br/>      (Optional) `tags` - A map of tags to add to the Route53 Profile association resource.<br/>    (Optional) `autodefined_reverse_dns_resolution_enabled` - Whether to enable the autodefined reverse DNS resolution for the VPC. Defaults to `true`.<br/>    (Optional) `dnssec_validation` - The configuration for DNSSEC validation in the VPC. `dnssec_validation` as defined below.<br/>      (Optional) `enabled` - Whether to use DNSSEC validation to check DNSSEC cryptographic signatures to ensure that a DNS response was not tampered with. Defaults to `false`. | <pre>object({<br/>    enabled              = optional(bool, true)<br/>    private_hosted_zones = optional(set(string), [])<br/>    profile_associations = optional(list(object({<br/>      name    = string<br/>      profile = string<br/>      tags    = optional(map(string), {})<br/>    })), [])<br/>    autodefined_reverse_dns_resolution_enabled = optional(bool, true)<br/>    dnssec_validation = optional(object({<br/>      enabled = optional(bool, false)<br/>    }), {})<br/>  })</pre> | `{}` | no |
+| <a name="input_route53_resolver"></a> [route53\_resolver](#input\_route53\_resolver) | (Optional) A configuration for Route53 Resolver in the VPC. `route53_resolver` as defined below.<br/>    (Optional) `enabled` - Whether DNS resolution through the Route53 Resolver (the Amazon DNS server) is supported for the VPC. Defaults to `true`.<br/>    (Optional) `private_hosted_zones` - A set of private Hosted Zone IDs to associate with the VPC.<br/>    (Optional) `profile_association` - A configuration for Route53 Profile association with the VPC. `profile_association` as defined below.<br/>      (Required) `name` - The name of the resource association with the Route53 profile.<br/>      (Required) `profile` - The ID of the Route53 profile to associate with.<br/>      (Optional) `tags` - A map of tags to add to the Route53 Profile association resource.<br/>    (Optional) `autodefined_reverse_dns_resolution_enabled` - Whether to enable the autodefined reverse DNS resolution for the VPC. Defaults to `true`.<br/>    (Optional) `dnssec_validation` - The configuration for DNSSEC validation in the VPC. `dnssec_validation` as defined below.<br/>      (Optional) `enabled` - Whether to use DNSSEC validation to check DNSSEC cryptographic signatures to ensure that a DNS response was not tampered with. Defaults to `false`. | <pre>object({<br/>    enabled              = optional(bool, true)<br/>    private_hosted_zones = optional(set(string), [])<br/>    profile_association = optional(object({<br/>      name    = string<br/>      profile = string<br/>      tags    = optional(map(string), {})<br/>    }))<br/>    autodefined_reverse_dns_resolution_enabled = optional(bool, true)<br/>    dnssec_validation = optional(object({<br/>      enabled = optional(bool, false)<br/>    }), {})<br/>  })</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
 | <a name="input_tenancy"></a> [tenancy](#input\_tenancy) | (Optional) A tenancy option for instances launched into the VPC. Valid values are `DEFAULT` and `DEDICATED`. Defaults to `DEFAULT`.<br/>    `DEFAULT` - Ensure that EC2 instances launched in this VPC use the EC2 instance tenancy attribute specified when the EC2 instance is launched<br/>    `DEDICATED` - Ensure that EC2 instances launched in this VPC are run on dedicated tenancy instances regardless of the tenancy attribute specified at launch. This has a dedicated per region fee of $2 per hour, plus an hourly per instance usage fee. | `string` | `"DEFAULT"` | no |
 | <a name="input_vpn_gateway"></a> [vpn\_gateway](#input\_vpn\_gateway) | (Required) The configuration for a virtual private gateway of the VPC. A virtual private gateway is the VPN concentrator on the Amazon side of the site-to-site VPN connection. `vpn_gateway` as defined below.<br/>    (Optional) `enabled` - Whether to create a new VPN Gateway resource and attach it to the VPC. Defaults to `false`.<br/>    (Optional) `name` - The name of the VPN Gateway. Defaults to same name of the VPC.<br/>    (Optional) `asn` - The Autonomous System Number (ASN) for the Amazon side of the gateway. Defaults to `64512`. | <pre>object({<br/>    enabled = optional(bool, false)<br/>    name    = optional(string)<br/>    asn     = optional(number, 64512)<br/>  })</pre> | `{}` | no |

modules/vpc/outputs.tf

@@ -144,17 +144,18 @@ output "route53_resolver" {
   value = {
     enabled              = aws_vpc.this.enable_dns_support
     private_hosted_zones = values(aws_route53_zone_association.this)[*].zone_id
-    profile_associations = [
-      for name, assoc in aws_route53profiles_association.this : {
-        id   = assoc.id
-        arn  = assoc.arn
-        name = name
+    profile_association = (length(aws_route53profiles_association.this) > 0
+      ? {
+        id   = aws_route53profiles_association.this[0].id
+        arn  = aws_route53profiles_association.this[0].arn
+        name = aws_route53profiles_association.this[0].name
         profile = {
-          id = assoc.profile_id
+          id = aws_route53profiles_association.this[0].profile_id
         }
-        status = assoc.status
+        status = aws_route53profiles_association.this[0].status
       }
-    ]
+      : null
+    )
     autodefined_reverse_dns_resolution = aws_route53_resolver_config.this.autodefined_reverse_flag == "ENABLE"
     dnssec_validation = {
       enabled = var.route53_resolver.dnssec_validation.enabled

modules/vpc/route53.tf

@@ -17,25 +17,22 @@ resource "aws_route53_zone_association" "this" {
 ###################################################
 
 resource "aws_route53profiles_association" "this" {
-  for_each = {
-    for assoc in var.route53_resolver.profile_associations :
-    assoc.name => assoc
-  }
+  count = var.route53_resolver.profile_association != null ? 1 : 0
 
   region = aws_vpc.this.region
 
   resource_id = aws_vpc.this.id
 
-  name       = each.key
-  profile_id = each.value.profile
+  name       = var.route53_resolver.profile_association.name
+  profile_id = var.route53_resolver.profile_association.profile
 
   tags = merge(
     {
-      "Name" = "${local.metadata.name}/${each.key}"
+      "Name" = "${local.metadata.name}/${var.route53_resolver.profile_association.name}"
     },
     local.module_tags,
     var.tags,
-    each.value.tags,
+    var.route53_resolver.profile_association.tags,
   )
 }
 

modules/vpc/variables.tf

@@ -113,7 +113,7 @@ variable "route53_resolver" {
   (Optional) A configuration for Route53 Resolver in the VPC. `route53_resolver` as defined below.
     (Optional) `enabled` - Whether DNS resolution through the Route53 Resolver (the Amazon DNS server) is supported for the VPC. Defaults to `true`.
     (Optional) `private_hosted_zones` - A set of private Hosted Zone IDs to associate with the VPC.
-    (Optional) `profile_associations` - A list of configurations for Route53 Profile associations with the VPC. Each block of `profile_associations` as defined below.
+    (Optional) `profile_association` - A configuration for Route53 Profile association with the VPC. `profile_association` as defined below.
       (Required) `name` - The name of the resource association with the Route53 profile.
       (Required) `profile` - The ID of the Route53 profile to associate with.
       (Optional) `tags` - A map of tags to add to the Route53 Profile association resource.
@@ -124,11 +124,11 @@ variable "route53_resolver" {
   type = object({
     enabled              = optional(bool, true)
     private_hosted_zones = optional(set(string), [])
-    profile_associations = optional(list(object({
+    profile_association = optional(object({
       name    = string
       profile = string
       tags    = optional(map(string), {})
-    })), [])
+    }))
     autodefined_reverse_dns_resolution_enabled = optional(bool, true)
     dnssec_validation = optional(object({
       enabled = optional(bool, false)