feat(route53): support intermediate role for CrossAccountZoneDelegationRecord

[cfoley220]

Issue

No existing issue - this PR highlights a limitation and proposes a solution.

Reason for this change

The current CrossAccountZoneDelegationRecord construct requires the under-the-hood Custom Resource's Lambda execution role to directly assume the delegation role in the parent account. This limits flexibility for teams that need role chaining for various architectural reasons.

For my team specifically, managing zone delegation across hundreds of accounts has hit IAM trust policy size limits on the delegation role. Using an intermediate role as a single trust point solves this scaling issue. The usage of intermediate roles is a developed solution for our application to interface with other AWS accounts for other use-cases- without needing the other AWS accounts to maintain a list of hundreds of accounts. This PR allows usage for maintaining our R53 record.

Description of changes

Added optional intermediateRole parameter to CrossAccountZoneDelegationRecord that enables role chaining:

1. Lambda assumes intermediate role
2. Uses those credentials to assume delegation role
3. Performs Route53 record update

Changes:

• Added intermediateRole optional property to construct
• Modified custom resource handler to chain role assumptions via masterCredentials
• Updated IAM policy to grant permission to intermediate role when provided
• Fully backward compatible (optional parameter)

Description of how you validated changes

• Unit tests for with/without intermediate role scenarios
• Successfully ran /bin/bash run-rosetta.sh for README changes
• Updated integration tests
  • Successfully ran integ.zone-delegation-iam-stack.ts with --update-on-failed
  • NOTICE I was unable to run integ.cross-account-zone-delegation.ts from the cross-account specifics required. As such, I did not check in any snapshot changes. Can a maintainer run these tests?
  • As a stop gap, I successfully updated a CDK application I own to use the new handler code and an intermediate role. I verified by revoking access from the delegation role to my app's AWS account (while allowing access from the intermediate account).

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Features must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

[cfoley220]

Clarification Request:

Per contributing guide, if integ tests are unable to be run, "please call this out on the pull request so a maintainer can run the tests for you". This is noted in PR description. Let me know if I should include resultant snapshots myself.