aws - route53 record set delete action, hosted zone delete fix (#9291)

cloud-custodian · Mar 4, 2024 · 944b183 · 944b183
1 parent d0c7329
commit 944b183
Show file tree

Hide file tree

Showing 10 changed files with 388 additions and 6 deletions.
diff --git a/c7n/resources/route53.py b/c7n/resources/route53.py
@@ -71,6 +71,16 @@ def process_tags(resources):
         return list(w.map(process_tags, chunks(resources, 20)))
 
 
+def generate_rrset(recordset):
+    keys = (
+        'Name', 'Type', 'TTL', 'SetIdentifier', 'Region', 'AliasTarget', 'ResourceRecords')
+    rrset_payload = dict()
+    for key in keys:
+        if key in recordset:
+            rrset_payload.update({key: recordset[key]})
+    return rrset_payload
+
+
 @resources.register('hostedzone')
 class HostedZone(Route53Base, QueryResourceManager):
 
@@ -208,6 +218,58 @@ def process_resource_set(self, client, domains, keys):
                 TagsToDelete=keys)
 
 
+@ResourceRecordSet.action_registry.register('delete')
+class ResourceRecordSetRemove(BaseAction):
+    """Action to delete resource records from Route 53 hosted zones.
+
+    It is recommended to use a filter to avoid unwanted deletion
+    of R53 records from all hosted zones.
+
+    :example:
+
+    .. code-block:: yaml
+
+            policies:
+              - name: route53-remove-filtered-records
+                resource: aws.rrset
+                filters:
+                  - type: value
+                    key: AliasTarget.DNSName
+                    value: "email.gc.example.com."
+                actions:
+                  - type: delete
+
+    """
+    schema = type_schema('delete',)
+    permissions = ('route53:ChangeResourceRecordSets',)
+
+    def process(self, recordsets):
+        client = local_session(self.manager.session_factory).client('route53')
+        try:
+            for rrset in recordsets:
+
+                # Exempt the two zone associated mandatory records
+                if rrset['Type'] in ('NS', 'SOA'):
+                    continue
+
+                rrsetdata = generate_rrset(rrset)
+                self.manager.retry(
+                    client.change_resource_record_sets,
+                    HostedZoneId=rrset['c7n:parent-id'],
+                    ChangeBatch={
+                        'Changes': [
+                            {
+                                'Action': 'DELETE',
+                                'ResourceRecordSet': rrsetdata,
+                            }
+                        ]
+                    },
+                    ignore_err_codes=('InvalidChangeBatch'))
+        except Exception as e:
+                self.log.warning(
+                    "ResourceRecordSet delete error: %s", e)
+
+
 @HostedZone.action_registry.register('delete')
 class Delete(BaseAction):
     """Action to delete Route 53 hosted zones.
@@ -234,6 +296,8 @@ class Delete(BaseAction):
 
     schema = type_schema('delete', force={'type': 'boolean'})
     permissions = ('route53:DeleteHostedZone',)
+    keys = (
+        'Name', 'Type', 'TTL', 'SetIdentifier', 'Region', 'AliasTarget', 'ResourceRecords')
 
     def process(self, hosted_zones):
         client = local_session(self.manager.session_factory).client('route53')
@@ -267,19 +331,15 @@ def delete_records(self, client, hz):
             # Exempt the two zone associated mandatory records
             if rrset['Name'] == hz['Name'] and rrset['Type'] in ('NS', 'SOA'):
                 continue
+            rrsetdata = generate_rrset(rrset)
             self.manager.retry(
                 client.change_resource_record_sets,
                 HostedZoneId=hz['Id'],
                 ChangeBatch={
                     'Changes': [
                         {
                             'Action': 'DELETE',
-                            'ResourceRecordSet': {
-                                'Name': rrset['Name'],
-                                'Type': rrset['Type'],
-                                'TTL': rrset['TTL'],
-                                'ResourceRecords': rrset['ResourceRecords']
-                            },
+                            'ResourceRecordSet': rrsetdata,
                         }
                     ]
                 },

diff --git a/...a/placebo/test_r53_resourcerecordset_cname_remove/route53.ChangeResourceRecordSets_1.json b/...a/placebo/test_r53_resourcerecordset_cname_remove/route53.ChangeResourceRecordSets_1.json
@@ -0,0 +1,20 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "ChangeInfo": {
+            "Id": "/change/C08700492OMT62TVMBS6H",
+            "Status": "PENDING",
+            "SubmittedAt": {
+                "__class__": "datetime",
+                "year": 2024,
+                "month": 2,
+                "day": 11,
+                "hour": 17,
+                "minute": 38,
+                "second": 53,
+                "microsecond": 103000
+            }
+        }
+    }
+}
diff --git a/tests/data/placebo/test_r53_resourcerecordset_cname_remove/route53.ListHostedZones_1.json b/tests/data/placebo/test_r53_resourcerecordset_cname_remove/route53.ListHostedZones_1.json
@@ -0,0 +1,19 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "HostedZones": [
+            {
+                "Id": "/hostedzone/Z0703663WE3WTQ3FAPIF",
+                "Name": "subdomain.example.com.",
+                "CallerReference": "1560",
+                "Config": {
+                    "PrivateZone": true
+                },
+                "ResourceRecordSetCount": 3
+            }
+        ],
+        "IsTruncated": false,
+        "MaxItems": "100"
+    }
+}
diff --git a/...ata/placebo/test_r53_resourcerecordset_cname_remove/route53.ListResourceRecordSets_1.json b/...ata/placebo/test_r53_resourcerecordset_cname_remove/route53.ListResourceRecordSets_1.json
@@ -0,0 +1,49 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "ResourceRecordSets": [
+            {
+                "Name": "subdomain.example.com.",
+                "Type": "NS",
+                "TTL": 172800,
+                "ResourceRecords": [
+                    {
+                        "Value": "ns-1536.awsdns-00.co.uk."
+                    },
+                    {
+                        "Value": "ns-0.awsdns-00.com."
+                    },
+                    {
+                        "Value": "ns-1024.awsdns-00.org."
+                    },
+                    {
+                        "Value": "ns-512.awsdns-00.net."
+                    }
+                ]
+            },
+            {
+                "Name": "subdomain.example.com.",
+                "Type": "SOA",
+                "TTL": 900,
+                "ResourceRecords": [
+                    {
+                        "Value": "ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400"
+                    }
+                ]
+            },
+            {
+                "Name": "mail.subdomain.example.com.",
+                "Type": "CNAME",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "mailserver01.subdomain.example.com."
+                    }
+                ]
+            }
+        ],
+        "IsTruncated": false,
+        "MaxItems": "100"
+    }
+}
diff --git a/...ata/placebo/test_r53_resourcerecordset_cname_remove/route53.ListResourceRecordSets_2.json b/...ata/placebo/test_r53_resourcerecordset_cname_remove/route53.ListResourceRecordSets_2.json
@@ -0,0 +1,39 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "ResourceRecordSets": [
+            {
+                "Name": "subdomain.example.com.",
+                "Type": "NS",
+                "TTL": 172800,
+                "ResourceRecords": [
+                    {
+                        "Value": "ns-1536.awsdns-00.co.uk."
+                    },
+                    {
+                        "Value": "ns-0.awsdns-00.com."
+                    },
+                    {
+                        "Value": "ns-1024.awsdns-00.org."
+                    },
+                    {
+                        "Value": "ns-512.awsdns-00.net."
+                    }
+                ]
+            },
+            {
+                "Name": "subdomain.example.com.",
+                "Type": "SOA",
+                "TTL": 900,
+                "ResourceRecords": [
+                    {
+                        "Value": "ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400"
+                    }
+                ]
+            }
+        ],
+        "IsTruncated": false,
+        "MaxItems": "100"
+    }
+}
diff --git a/tests/data/placebo/test_r53_resourcerecordset_remove/route53.ChangeResourceRecordSets_1.json b/tests/data/placebo/test_r53_resourcerecordset_remove/route53.ChangeResourceRecordSets_1.json
@@ -0,0 +1,20 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "ChangeInfo": {
+            "Id": "/change/C0028923170KHKBOZN21G",
+            "Status": "PENDING",
+            "SubmittedAt": {
+                "__class__": "datetime",
+                "year": 2024,
+                "month": 2,
+                "day": 11,
+                "hour": 14,
+                "minute": 14,
+                "second": 7,
+                "microsecond": 346000
+            }
+        }
+    }
+}
diff --git a/tests/data/placebo/test_r53_resourcerecordset_remove/route53.ListHostedZones_1.json b/tests/data/placebo/test_r53_resourcerecordset_remove/route53.ListHostedZones_1.json
@@ -0,0 +1,19 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "HostedZones": [
+            {
+                "Id": "/hostedzone/Z0703663WE3WTQ3FAPIF",
+                "Name": "subdomain.example.com.",
+                "CallerReference": "1560",
+                "Config": {
+                    "PrivateZone": true
+                },
+                "ResourceRecordSetCount": 4
+            }
+        ],
+        "IsTruncated": false,
+        "MaxItems": "100"
+    }
+}
diff --git a/tests/data/placebo/test_r53_resourcerecordset_remove/route53.ListResourceRecordSets_1.json b/tests/data/placebo/test_r53_resourcerecordset_remove/route53.ListResourceRecordSets_1.json
@@ -0,0 +1,58 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "ResourceRecordSets": [
+            {
+                "Name": "subdomain.example.com.",
+                "Type": "A",
+                "AliasTarget": {
+                    "HostedZoneId": "Z1YSA3EXCYUU9Z",
+                    "DNSName": "vpce-12345abcdefgh-mxpozkdy.us-west-2.vpce.amazonaws.com.",
+                    "EvaluateTargetHealth": true
+                }
+            },
+            {
+                "Name": "subdomain.example.com.",
+                "Type": "NS",
+                "TTL": 172800,
+                "ResourceRecords": [
+                    {
+                        "Value": "ns-1536.awsdns-00.co.uk."
+                    },
+                    {
+                        "Value": "ns-0.awsdns-00.com."
+                    },
+                    {
+                        "Value": "ns-1024.awsdns-00.org."
+                    },
+                    {
+                        "Value": "ns-512.awsdns-00.net."
+                    }
+                ]
+            },
+            {
+                "Name": "subdomain.example.com.",
+                "Type": "SOA",
+                "TTL": 900,
+                "ResourceRecords": [
+                    {
+                        "Value": "ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400"
+                    }
+                ]
+            },
+            {
+                "Name": "mail.subdomain.example.com.",
+                "Type": "CNAME",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "mailserver01.subdomain.example.com."
+                    }
+                ]
+            }
+        ],
+        "IsTruncated": false,
+        "MaxItems": "100"
+    }
+}
diff --git a/tests/data/placebo/test_r53_resourcerecordset_remove/route53.ListResourceRecordSets_2.json b/tests/data/placebo/test_r53_resourcerecordset_remove/route53.ListResourceRecordSets_2.json
@@ -0,0 +1,49 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "ResourceRecordSets": [
+            {
+                "Name": "subdomain.example.com.",
+                "Type": "NS",
+                "TTL": 172800,
+                "ResourceRecords": [
+                    {
+                        "Value": "ns-1536.awsdns-00.co.uk."
+                    },
+                    {
+                        "Value": "ns-0.awsdns-00.com."
+                    },
+                    {
+                        "Value": "ns-1024.awsdns-00.org."
+                    },
+                    {
+                        "Value": "ns-512.awsdns-00.net."
+                    }
+                ]
+            },
+            {
+                "Name": "subdomain.example.com.",
+                "Type": "SOA",
+                "TTL": 900,
+                "ResourceRecords": [
+                    {
+                        "Value": "ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400"
+                    }
+                ]
+            },
+            {
+                "Name": "mail.subdomain.example.com.",
+                "Type": "CNAME",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "mailserver01.subdomain.example.com."
+                    }
+                ]
+            }
+        ],
+        "IsTruncated": false,
+        "MaxItems": "100"
+    }
+}