aws-cdk-lib/aws-route53: Use an existing role for performing DeleteExisting

[fjinkis]

Describe the feature

When you define a aws_route53.RecordSet you can enable the property deleteExisting to remove - or overwrite - a record if it already exists. The "problem" is each stack creates a new IAM Role in order to perform that operation. What I propose is being able to reuse an existing predefined role like we can do with other resources - as Lambda or Launch templates -

Lambda snippet

import { aws_lambda as lambda, aws_iam as iam } from "aws-cdk-lib";

// code here

new lambda.Function(this, "AlarmsHandlerFunction", {
          ...otherLambdaConfig,
          //       ⬇️
          role: iam.Role.fromRoleName(
            this,
            "FunctionRole",
            "SomePredefinedRole",
            { mutable: false }
          )
});

Launch template snippet

import { aws_ec2 as ec2, aws_iam as iam } from "aws-cdk-lib";

// code here

new ec2.LaunchTemplate(this, "AsgLaunchTemplate", {
        ...otherLaunchTemplateConfig,
        //       ⬇️
        role: iam.Role.fromRoleName(
          this,
          "InstanceProfileRole",
          "SomePredefinedRole",
          { mutable: false }
        )
});

Use Case

• When your CDK user doesn't have access to IAM
• When you want to keep roles tidy and with descriptive names
• When you have many stacks and you want to reuse and/or group roles

Proposed Solution

Following the same logic of other resources, it'd be great if we can do something like this:

import { aws_route53 as route53, aws_iam as iam } from "aws-cdk-lib";


// code here

new route53.ARecord(this, "Domain", {
        target: route53.RecordTarget.fromIpAddresses("10.10.0.1"),
        zone: route53.HostedZone.fromLookup(this, "Zone", {
          domainName: "example.com",
        }),
        recordName: "example1",
        comment: "Something descriptive",
        ttl: 300,
        deleteExisting: true,
        //       ⬇️
        role: iam.Role.fromRoleName(
          this,
          "DnsChangeRole",
          "SomePredefinedRole",
          { mutable: false }
        )
});

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.33.0

Environment details (OS name and version, etc.)

NixOS Porcupine

[MrSyn88]

I'm looking into this

[MrSyn88]

Or actually, did you already start working on this @fjinkis ?

[fjinkis]

@MrSyn88 No, I just suggested it as a new feature but I didn't start developing anything

[pahud]

@fjinkis Actually the deleteExisting feature is provided by a custom resource which will be generated or imported by the getOrCreateProvider, which means each stack will only have one CustomResourceProvider for this and technically only one IAM role for that provider will be provisioned behind the scene. And if you look at how the role is created it's essentially provisioned with the minimal required privileges. Is there any scenario or benefits you need to use an existing role for the provider rather than the hassle-free auto-generated one?

[fjinkis]

@pahud I find it useful in at least the following two scenarios:

1. When the CDK user doesn't have access to IAM. I think that it could be common for companies that provide automation services but they don't handle roles or policies because those IAM resources are managed by the client directly (kinda least privilege principle).
2. I'm working on a solution where each ECS service has its own stack, so I would like to have just one role to handle the DNS records, because I don't like very much the idea of having many roles doing the same thing to the same hosted zone

Do these cases make sense to you?

[rix0rrr]

The request makes sense. All roles should be configurable.

[pahud]

@fjinkis It makes perfect sense.

Looking into the code, the custom resource provider is vended by getOrCreateProvider() which does not support passing existing iam role and it always creates a new role. To make it possible I think we have to first allow getOrCreateProvider() accept a new role prop. Maybe we should create a separate PR for that first.

[pahud]

Hi @fjinkis

CDK v2.51.0 just introduced a IAM feature that allows you to use existing roles for a CDK stack.

check out this doc for more details - https://github.com/aws/aws-cdk/tree/main/packages/%40aws-cdk/aws-iam#customizing-role-creation

And check out my sample below:

As you can see no new roles will be created by CDK and the existing role will be used instead. I believe this should satisfy your scenario. Please let me know if it works for you.

[fjinkis]

Hey @pahud it worked! I'd like to apologize for publishing an issue that was finally supported. Although this request was focus to IAM, if you have a moment and if it's not a big deal, could you share with me some thoughts on any way to use a predefined Lambda to perform the record delation (and not one for each stack)?

[pahud]

@fjinkis Sounds like you are trying to use a shared predefined lambda function as the single custom resource provider across multiple stacks? I wonder what motivates you for that? To reduce the number of lambda functions?

[fjinkis]

Hi @pahud! Yeah, I think that is for a better management and also to reduce the lambda resources which does essentially the same thing

[pahud]

Gocha! I think current design is pretty optimal as there's only one shared lambda provider per stack. If you define 100 ARecord resources with deleteExisting enabled in a single stack, you would have 100 custom resources sharing one lambda handler only in this stack. If you have 10 stacks each has 100 ARecords, you have 100x10=1000 custom resources sharing 10x1=10 lambda handlers. Are you planning to reduce the number of custom resources or lambda handlers in this scenario?

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[fjinkis]

I completely agree with you about that! Probably, since it's a custom resource, we cannot specify what lambda should it use. However, responding to your question, my intention was reducing all those common resources that do the same thing over and over: in this case the lambda provider and IAM role

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.