-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(acm-certificatemanager): Add assume role for DNS validation record creation #23526
Conversation
This is pending #23525 |
7fefb77
to
38945f6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
38945f6
to
12b43f4
Compare
bb6794b
to
db23f40
Compare
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
Any progress on this? |
db23f40
to
000ee87
Compare
Any way we can assist in getting this merged? |
If the Route 53 Hosted Zone is in a separate AWS account you can pass a role to assume to create the validation records | ||
|
||
```ts | ||
const example.vom = route53.HostedZone.fromHostedZoneAttributes(this, 'ExampleCom', { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const example.vom = route53.HostedZone.fromHostedZoneAttributes(this, 'ExampleCom', { | |
const example = route53.HostedZone.fromHostedZoneAttributes(this, 'ExampleCom', { |
service: 'iam', | ||
account: '123456789', // Role of account with zone | ||
resource: 'role', | ||
resourceName: 'DNSRole', // Role that is able to make changes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resourceName: 'DNSRole', // Role that is able to make changes | |
resourceName: 'DnsRole', // Role that is able to make changes |
The role in the account with the hosted zone needs to look like | ||
|
||
```ts | ||
const role = new iam.Role(this, 'Role', { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there needs to be a factory for this role. This feels a bit like implementation detail leakage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a construct I've released which handles the role creation. https://constructs.dev/packages/cdk-cross-account-route53/
I wasn't sure if it was appropriate to include it in CDK itself.
…rd creation Add the ability to specify a role to assume when creating the DNS records for ACM validation. This allows the lambda function to assume a role to make the DNS changes, which is necessary if the zone is hosted in another AWS account.
000ee87
to
37d468b
Compare
@Mergifyio update |
❌ Base branch update has failedrefusing to allow a GitHub App to create or update workflow |
Thank you for your contribution. I apologize for the work you put into this but we have deprecated |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Add the ability to specify a role to assume to create DNS records for ACM validation.
This allows the lambda function to assume a role to make the DNS changes, which is necessary if the zone us hosted in another AWS account.
This should help address #8934, #4469, #12657, #13686
All Submissions:
Adding new Construct Runtime Dependencies:
New Features
yarn integ
to deploy the infrastructure and generate the snapshot (i.e.yarn integ
without--dry-run
)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license