[v8.0.0 ]: vpc creation failed as dns binding authorization is still not created

[hFti]

Affected modules

module vpc 8.0.0

Terraform CLI and Terraform provider versions

• Terraform version: 1.9
• Provider version: v1.79.0

Terraform output

 2025/08/28 15:28:03 Terraform apply | Error: ---
 2025/08/28 15:28:03 Terraform apply | id: terraform-48a43ea0
 2025/08/28 15:28:03 Terraform apply | summary: 'CreateVPCDnsResolutionBindingWithContext failed: the provided token is not
 2025/08/28 15:28:03 Terraform apply |   authorized to connect the specified dns-resolution-binding (ID:r030-1126821b-a45e-4d76-b047-cfe6b70363ff)
 2025/08/28 15:28:03 Terraform apply |   in this account'
 2025/08/28 15:28:03 Terraform apply | severity: error
 2025/08/28 15:28:03 Terraform apply | resource: ibm_is_vpc
 2025/08/28 15:28:03 Terraform apply | operation: create
 2025/08/28 15:28:03 Terraform apply | component:
 2025/08/28 15:28:03 Terraform apply |   name: github.com/IBM-Cloud/terraform-provider-ibm
 2025/08/28 15:28:03 Terraform apply |   version: 1.79.0

Expected behavior

Vpc should be created after the authorization is created

Actual behavior

the vpc can't be created as the authorization with dnsBinding is still not in place

Steps to reproduce (including links and screen captures)

deploy a vpc hub and a vpc spoke with dns delegation in an account with no authorization (vpcBindingConnector between vpcs), using the module terraform-ibm-landingzone-vpc version 8.0.0

Anything else

maybe add a depend_on in the resource vpc to wait for authorization to be available before creating vpc
or make the source vpc id (spoke) open for all vpcs and specify the target which is the hub vpc id.
example:

 resource "ibm_iam_authorization_policy" "iam-auth-vpc-dns" {
   source_service_name  = "is"
   source_resource_type = "vpc"
   target_service_name  = "is"
   target_resource_type = "vpc"
   roles                = ["DNS Binding Connector", "Viewer"]
 }

---

[rajatagarwal-ibm]

@hFti I am unable to reproduce this issue.

A Spoke VPC cannot be created after the authorisation as the authorisation requires both the Hub VPC and the Spoke VPC id. There's also 30 seconds sleep time between the Hub VPC resources and the Spoke VPC resources.

We also do not need a depends_on in the authorisation policy creation because there's an implicit dependency while creating the auth policy with the Spoke VPC id.

From the error 'CreateVPCDnsResolutionBindingWithContext failed: the provided token is not authorized to connect the specified dns-resolution-binding (ID:r030-1126821b-a45e-4d76-b047-cfe6b70363ff) in this account', it appears that there could be a lack of permission to connect the DNS Resolution binding. In the IBM Cloud's IAM permission section, I could see many DNS Binding related actions. Are you sure you have enough permissions?

If you do have enough permission, can you give it a retry in case it was a blip in the service? If you're still stuck, could you please share the full logs with me? Thank you.

[hFti]

hello @rajatagarwal-ibm ,

I have admin permissions so no issues with my iam roles etc.
However as you mentioned "A Spoke VPC cannot be created after the authorisation as the authorisation requires both the Hub VPC and the Spoke VPC id."
so basically the authorization will wait for the vpc to be created , in the meanwhile the vpc spoke creation will try to activate the dns resolution binding here https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/main.tf#L47 and that generates the error as the vpc doesn't have the permission (yet) to activate the dns-resolution-binding.

For now I had to create an authorization between vpc services with no restriction on ids to be able to deploy:

 resource "ibm_iam_authorization_policy" "iam-auth-vpc-dns" {
   source_service_name  = "is"
   source_resource_type = "vpc"
   target_service_name  = "is"
   target_resource_type = "vpc"
   roles                = ["DNS Binding Connector"]
 }

, but I think this should be mentioned as a requirement for the terraform-ibm-landing-zone-vpc to be able to deploy when the dns delegation is activated (resolver_type = "delegated" and update_delegated_resolver = true) or else find a way to include in the module.

Thank you

[rajatagarwal-ibm]

Hey @hFti,

Thanks for further explaining the issue you're facing. I am able to reproduce that by setting update_delegated_resolver to true in the first terraform apply.

Due to a limitation in the IBM Cloud terraform provider (mentioned here and in the delegated example readme) , there is a need to perform 2 applies as follows to end up with the desired topology:

1. The first terraform apply lay down all of the topology, but does not configure the DNS resolver to delegated in the spoke. At this time you have to set update_delegated_resolver to false.
2. The second terraform apply should have the update_delegated_resolver variable to true to configure the DNS resolver to be delegated. terraform apply -var=update_delegated_resolver=true

Please let me know if you need any further help.

[hFti]

thank you.

[rajatagarwal-ibm]

Closing this issue.