New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(aws-route53): cross account DNS delegations #12680
Conversation
Added some tests for the handler but seems like this modules is not migrated to jest yet. Need to see how to make it compatible to jest. EDIT: Adde usage to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this PR! Great stuff. I've left a first wave of comments.
packages/@aws-cdk/aws-route53/lib/cross-account-zone-delegation-handler/index.ts
Show resolved
Hide resolved
packages/@aws-cdk/aws-route53/lib/cross-account-zone-delegation-handler/index.ts
Show resolved
Hide resolved
packages/@aws-cdk/aws-route53/lib/cross-account-zone-delegation-handler/index.ts
Outdated
Show resolved
Hide resolved
packages/@aws-cdk/aws-route53/lib/cross-account-zone-delegation-handler/index.ts
Outdated
Show resolved
Hide resolved
packages/@aws-cdk/aws-route53/test/vpc-endpoint-service-domain-name.test.ts
Outdated
Show resolved
Hide resolved
Hi @njlynch , I have implemented all the suggestions and this PR is ready for the second round. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thanks for the updates!
One minor typo, and one question about one of the tests you fixed (thanks again for the Jest update, btw!)
packages/@aws-cdk/aws-route53/test/vpc-endpoint-service-domain-name.test.ts
Outdated
Show resolved
Hide resolved
@njlynch Addressed the comments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thanks!
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
@ayush987goyal you rock! |
@OperationalFallacy Yeah I think this will be release as part of next cut. You might have to wait for it unfortunately :( |
Hey @ayush987goyal, can this implementation work with cdk-pipeline? What I see the problem of passing NS servers from "sub-zone" account to "parent zone" account now became a problem of passing tld zone id and crossAccountZoneDelegationPrincipal between accounts. Which conceptually is the same problem. Also, for the delegation role, the trust policy allows "sub-zone" root principal (anybody?) make changes in tld zone? That should be locked to a specific role, but again that goes back to original problem: how to pass something between accounts created in independent stacks. |
Hi @OperationalFallacy , The usage of this construct should not actually involve passing the zoneId and role around but to import them using IDs. Dealing with cross account resources has some challenges around with it and for this one you will have to hard code the zoneId and roleArn from the parent account so that they can be imported like so: const delegationRole = iam.Role.fromRoleArn(this, 'Role', roleArn);
new route53.CrossAccountZoneDelegationRecord(this, 'delegate', {
delegatedZone: subZone,
parentHostedZoneId: hostedZoneId,
delegationRole: delegationRole
}); @njlynch Please add anything else if I missed out or do let me know if we should include such examples in the readme. |
Ok, I managed to run it in the pipeline Imho it is not production ready. The role assume permissions can't be locked to specific entity, only to account root principals. Another problem is lookups in the pipeline, you're right the zone ID has to be hardcoded since Putting aside all these technical details for this implementation, I wonder why Cloudformation team can't implement cross-account, cross-region exports so CDK can do what it knows the best? |
Nice work @ayush987goyal ! |
feat(aws-route53): cross account DNS delegations
closes #8776
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license