Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(route53): cross account zone delegations of more than one zone fail #17836

Closed
phoefflin opened this issue Dec 3, 2021 · 1 comment · Fixed by #17837
Closed

(route53): cross account zone delegations of more than one zone fail #17836

phoefflin opened this issue Dec 3, 2021 · 1 comment · Fixed by #17837
Labels
@aws-cdk/aws-route53 Related to Amazon Route 53 bug This issue is a bug. in-progress This issue is being actively worked on. p1

Comments

@phoefflin
Copy link
Contributor

phoefflin commented Dec 3, 2021
edited

What is the problem?

trying to delegate more than one subzone to zones in other aws accounts fails

Reproduction Steps

  1. create parent zones cdk app in parent_zone_account

change principle to sub_zone_account principle, deploy and get roleArns from stack outputs

import * as iam from '@aws-cdk/aws-iam';
import * as route53 from '@aws-cdk/aws-route53';
import { Construct, CfnOutput, Stack, StackProps } from '@aws-cdk/core';


export class ParentZonesStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const crossAccountZoneDelegationPrincipal = new iam.AccountPrincipal('111111111111')

    const parentZone1 = new route53.PublicHostedZone(this, 'HostedZone1', {
      zoneName: 'domain1.com',
      crossAccountZoneDelegationPrincipal,
    });
    
    const parentZone2 = new route53.PublicHostedZone(this, 'HostedZone2', {
      zoneName: 'domain2.com',
      crossAccountZoneDelegationPrincipal,
    });
   
    new CfnOutput(this, 'zone1RoleArn', { value: parentZone1.crossAccountZoneDelegationRole?.roleArn || '' });
    new CfnOutput(this, 'zone2RoleArn', { value: parentZone2.crossAccountZoneDelegationRole?.roleArn || '' });
  }
}
  1. deploy subzones app in sub_zone_account

update roleArns and deploy cdk app

import * as cdk from '@aws-cdk/core';
import * as iam from '@aws-cdk/aws-iam';
import * as route53 from '@aws-cdk/aws-route53';

export class SubZonesStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    
    const zone1RoleArn = '<arn1 from stack output>'
    const zone2RoleArn = '<arn2 from stack output>'
    
    new Zone(this, 'zone1', {
      name: 'domain1.com',
      arn: zone1RoleArn,
    })
    new Zone(this, 'zone2', {
      name: 'domain2.com',
      arn: zone2RoleArn,
    })

  }
}

export class Zone extends cdk.Construct {
  public constructor(scope: cdk.Construct, id: string, props: {arn: string, name: string}) {
    super(scope, id);
    
    const {arn, name} = props
    const role = iam.Role.fromRoleArn(this, `role${name}`, arn);
    const subZone = new route53.PublicHostedZone(this, `zone${name}`, {
      zoneName: `sub.${name}`,
    });
    new route53.CrossAccountZoneDelegationRecord(this, `delegate${name}`, {
      delegatedZone: subZone,
      parentHostedZoneName: name,
      delegationRole: role,
    });
  }
}

What did you expect to happen?

I expected both delegation NS records to be created in both parent zones

What actually happened?

the subZone stack failed with an Access denied error


6:39:34 PM | CREATE_FAILED        | Custom::CrossAccountZoneDelegation | zone2/delegatedoma...omResource/Default
Received response status [FAILED] from custom resource. Message returned: AccessDenied: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/SubZonesStack-CustomCrossAccountZoneDelegationCust-TL400
5A93THW/SubZonesStack-CustomCrossAccountZoneDelegationCust-aHcKaNjM2AZe is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXX:role/ParentZonesStack-HostedZone2
CrossAccountZoneDelega-HKID8J9JJRWB
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) (RequestId: a470258f-86af-4521-ac52-8ca4fc610846)

CDK CLI Version

1.134.0 (build dd5e12d)

Framework Version

1.134.0

Node.js Version

v14.18.1

OS

linux

Language

Typescript

Language Version

No response

Other information

No response
@phoefflin phoefflin added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 3, 2021
@github-actions github-actions bot added the @aws-cdk/aws-route53 Related to Amazon Route 53 label Dec 3, 2021
phoefflin added a commit to phoefflin/aws-cdk that referenced this issue Dec 3, 2021
@phoefflin
fix(route53): support multiple cross account DNS delegations
da00c11 
create individual policies for each delegated zone and add them
individually to the singleton lambda function role.

fixes aws#17836
@phoefflin phoefflin mentioned this issue Dec 3, 2021
Merged
@NGL321 NGL321 added in-progress This issue is being actively worked on. p1 and removed needs-triage This issue or PR still needs to be triaged. labels Dec 8, 2021
@njlynch njlynch removed their assignment Dec 30, 2021
@mergify mergify bot closed this as completed in #17837 Jan 5, 2022
mergify bot pushed a commit that referenced this issue Jan 5, 2022
@phoefflin
fix(route53): support multiple cross account DNS delegations (#17837)
76b5c0d 
the custom resource lambda function's role is only created once. To support multiple zone delegations the role creation and policy management needs to be decoupled so each CrossAccountZoneDelegationRecord instance can add an individual policy to the  role.

Fixes #17836

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Jan 5, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@phoefflin @TikiTDO
fix(route53): support multiple cross account DNS delegations (aws#17837)
b70636c 
the custom resource lambda function's role is only created once. To support multiple zone delegations the role creation and policy management needs to be decoupled so each CrossAccountZoneDelegationRecord instance can add an individual policy to the  role.

Fixes aws#17836

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-route53 Related to Amazon Route 53 bug This issue is a bug. in-progress This issue is being actively worked on. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(route53): support multiple cross account DNS delegations phoefflin/aws-cdk
3 participants
@njlynch @NGL321 @phoefflin