feat(acm-certificatemanager): Add assume role for DNS validation record creation #23526
Conversation
|
|
github-actions
bot
added
beginning-contributor
|
This is pending #23525 |
johnf
force-pushed
the
dns-validated-cert-assume-role
branch
from
7fefb77
to
38945f6
Compare
johnf
changed the title
johnf
force-pushed
the
dns-validated-cert-assume-role
branch
from
38945f6
to
12b43f4
Compare
johnf
changed the title
johnf
force-pushed
the
dns-validated-cert-assume-role
branch
3 times, most recently
from
bb6794b
to
db23f40
Compare
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
|
Any progress on this? |
johnf
force-pushed
the
dns-validated-cert-assume-role
branch
from
db23f40
to
000ee87
Compare
|
Any way we can assist in getting this merged? |
| If the Route 53 Hosted Zone is in a separate AWS account you can pass a role to assume to create the validation records | ||
|
|
||
| ```ts | ||
| const example.vom = route53.HostedZone.fromHostedZoneAttributes(this, 'ExampleCom', { |
There was a problem hiding this comment.
| const example.vom = route53.HostedZone.fromHostedZoneAttributes(this, 'ExampleCom', { | |
| const example = route53.HostedZone.fromHostedZoneAttributes(this, 'ExampleCom', { |
| service: 'iam', | ||
| account: '123456789', // Role of account with zone | ||
| resource: 'role', | ||
| resourceName: 'DNSRole', // Role that is able to make changes |
There was a problem hiding this comment.
| resourceName: 'DNSRole', // Role that is able to make changes | |
| resourceName: 'DnsRole', // Role that is able to make changes |
| The role in the account with the hosted zone needs to look like | ||
|
|
||
| ```ts | ||
| const role = new iam.Role(this, 'Role', { |
There was a problem hiding this comment.
I think there needs to be a factory for this role. This feels a bit like implementation detail leakage.
There was a problem hiding this comment.
I have a construct I've released which handles the role creation. https://constructs.dev/packages/cdk-cross-account-route53/
I wasn't sure if it was appropriate to include it in CDK itself.
…rd creation Add the ability to specify a role to assume when creating the DNS records for ACM validation. This allows the lambda function to assume a role to make the DNS changes, which is necessary if the zone is hosted in another AWS account.
johnf
force-pushed
the
dns-validated-cert-assume-role
branch
from
000ee87
to
37d468b
Compare
|
@Mergifyio update |
❌ Base branch update has failedrefusing to allow a GitHub App to create or update workflow |
|
Thank you for your contribution. I apologize for the work you put into this but we have deprecated |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Add the ability to specify a role to assume to create DNS records for ACM validation.
This allows the lambda function to assume a role to make the DNS changes, which is necessary if the zone us hosted in another AWS account.
This should help address #8934, #4469, #12657, #13686
All Submissions:
Adding new Construct Runtime Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license