From f4d47c86067be51e696ed0fc70937faad1d1c1f2 Mon Sep 17 00:00:00 2001
From: Ludovic Fernandez <ldez@users.noreply.github.com>
Date: Wed, 19 Mar 2025 13:56:07 +0100
Subject: [PATCH] route53: adds option to use private zone (#2162)

---
 cmd/zz_gen_cmd_dnshelp.go             | 1 +
 docs/content/dns/zz_gen_route53.md    | 1 +
 providers/dns/route53/route53.go      | 5 ++++-
 providers/dns/route53/route53.toml    | 1 +
 providers/dns/route53/route53_test.go | 1 +
 5 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/cmd/zz_gen_cmd_dnshelp.go b/cmd/zz_gen_cmd_dnshelp.go
index 258ec0f65..1ce9e8f9c 100644
--- a/cmd/zz_gen_cmd_dnshelp.go
+++ b/cmd/zz_gen_cmd_dnshelp.go
@@ -2644,6 +2644,7 @@ func displayDNSHelp(w io.Writer, name string) error {
 		ew.writeln(`Additional Configuration:`)
 		ew.writeln(`	- "AWS_MAX_RETRIES":	The number of maximum returns the service will use to make an individual API request`)
 		ew.writeln(`	- "AWS_POLLING_INTERVAL":	Time between DNS propagation check in seconds (Default: 4)`)
+		ew.writeln(`	- "AWS_PRIVATE_ZONE":	Set to true to use private zones only (default: use public zones only)`)
 		ew.writeln(`	- "AWS_PROPAGATION_TIMEOUT":	Maximum waiting time for DNS propagation in seconds (Default: 120)`)
 		ew.writeln(`	- "AWS_SHARED_CREDENTIALS_FILE":	Managed by the AWS client. Shared credentials file.`)
 		ew.writeln(`	- "AWS_TTL":	The TTL of the TXT record used for the DNS challenge in seconds (Default: 10)`)
diff --git a/docs/content/dns/zz_gen_route53.md b/docs/content/dns/zz_gen_route53.md
index 0d06299a1..a0967a57e 100644
--- a/docs/content/dns/zz_gen_route53.md
+++ b/docs/content/dns/zz_gen_route53.md
@@ -60,6 +60,7 @@ More information [here]({{% ref "dns#configuration-and-credentials" %}}).
 |--------------------------------|-------------|
 | `AWS_MAX_RETRIES` | The number of maximum returns the service will use to make an individual API request |
 | `AWS_POLLING_INTERVAL` | Time between DNS propagation check in seconds (Default: 4) |
+| `AWS_PRIVATE_ZONE` | Set to true to use private zones only (default: use public zones only) |
 | `AWS_PROPAGATION_TIMEOUT` | Maximum waiting time for DNS propagation in seconds (Default: 120) |
 | `AWS_SHARED_CREDENTIALS_FILE` | Managed by the AWS client. Shared credentials file. |
 | `AWS_TTL` | The TTL of the TXT record used for the DNS challenge in seconds (Default: 10) |
diff --git a/providers/dns/route53/route53.go b/providers/dns/route53/route53.go
index 8246cd0ad..4d0a13a3d 100644
--- a/providers/dns/route53/route53.go
+++ b/providers/dns/route53/route53.go
@@ -35,6 +35,7 @@ const (
 	EnvMaxRetries      = envNamespace + "MAX_RETRIES"
 	EnvAssumeRoleArn   = envNamespace + "ASSUME_ROLE_ARN"
 	EnvExternalID      = envNamespace + "EXTERNAL_ID"
+	EnvPrivateZone     = envNamespace + "PRIVATE_ZONE"
 
 	EnvWaitForRecordSetsChanged = envNamespace + "WAIT_FOR_RECORD_SETS_CHANGED"
 
@@ -58,6 +59,7 @@ type Config struct {
 	MaxRetries    int
 	AssumeRoleArn string
 	ExternalID    string
+	PrivateZone   bool
 
 	WaitForRecordSetsChanged bool
 
@@ -75,6 +77,7 @@ func NewDefaultConfig() *Config {
 		MaxRetries:    env.GetOrDefaultInt(EnvMaxRetries, 5),
 		AssumeRoleArn: env.GetOrDefaultString(EnvAssumeRoleArn, ""),
 		ExternalID:    env.GetOrDefaultString(EnvExternalID, ""),
+		PrivateZone:   env.GetOrDefaultBool(EnvPrivateZone, false),
 
 		WaitForRecordSetsChanged: env.GetOrDefaultBool(EnvWaitForRecordSetsChanged, true),
 
@@ -312,7 +315,7 @@ func (d *DNSProvider) getHostedZoneID(ctx context.Context, fqdn string) (string,
 	var hostedZoneID string
 	for _, hostedZone := range resp.HostedZones {
 		// .Name has a trailing dot
-		if !hostedZone.Config.PrivateZone && ptr.Deref(hostedZone.Name) == authZone {
+		if ptr.Deref(hostedZone.Name) == authZone && d.config.PrivateZone == hostedZone.Config.PrivateZone {
 			hostedZoneID = ptr.Deref(hostedZone.Id)
 			break
 		}
diff --git a/providers/dns/route53/route53.toml b/providers/dns/route53/route53.toml
index 0004e9546..9e3b049a6 100644
--- a/providers/dns/route53/route53.toml
+++ b/providers/dns/route53/route53.toml
@@ -133,6 +133,7 @@ Replace `Z11111112222222333333` with your hosted zone ID and `example.com` with
     AWS_EXTERNAL_ID = "Managed by STS AssumeRole API operation (`AWS_EXTERNAL_ID_FILE` is not supported)"
     AWS_WAIT_FOR_RECORD_SETS_CHANGED = "Wait for changes to be INSYNC (it can be unstable)"
   [Configuration.Additional]
+    AWS_PRIVATE_ZONE = "Set to true to use private zones only (default: use public zones only)"
     AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file."
     AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"
     AWS_POLLING_INTERVAL = "Time between DNS propagation check in seconds (Default: 4)"
diff --git a/providers/dns/route53/route53_test.go b/providers/dns/route53/route53_test.go
index 1c835ac37..6ab37f674 100644
--- a/providers/dns/route53/route53_test.go
+++ b/providers/dns/route53/route53_test.go
@@ -23,6 +23,7 @@ var envTest = tester.NewEnvTest(
 	EnvRegion,
 	EnvHostedZoneID,
 	EnvMaxRetries,
+	EnvPrivateZone,
 	EnvTTL,
 	EnvPropagationTimeout,
 	EnvPollingInterval,