Skip to content

Commit

Permalink
feat(route53): allow specifying an STS region when creating a cross-a…
Browse files Browse the repository at this point in the history 
…ccount zone delegation (#29466)

### Issue # (if applicable)

n/a

### Reason for this change

In certain circumstances, the default STS region resolution logic will not properly select a region due to the hardcoded mapping between region prefixes and STS regions. 

### Description of changes

This change allows callers to specify a region in which STS will be called.

### Description of how you validated changes

Unit tests were added to aws-cdk-lib. Integ tests were updated and pass on my personal accounts, but I'm not sure how to check if they'll pass in CI.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@naiello
naiello authored Mar 28, 2024
1 parent 8a7c5c8 commit fe4bc1d
Show file tree
Hide file tree
Showing 23 changed files with 615 additions and 33 deletions.
1 change: 0 additions & 1 deletion ....snapshot/asset.aca4a134bf7ace6088b21213be7ab4357e3705f714362b690d76376b8f1df53a/index.js
View file

This file was deleted.

0 ...4362b690d76376b8f1df53a/__entrypoint__.js → ...5d10cfe133dc43f54705458/__entrypoint__.js
View file
File renamed without changes.
1 change: 1 addition & 0 deletions ....snapshot/asset.f43e5ef82b45e2e3ecb60cd54aa4a3599da7bb4c85d10cfe133dc43f54705458/index.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

34 changes: 34 additions & 0 deletions ...ccount-zone-delegation.js.snapshot/child-opt-in-stack-with-assume-role-region.assets.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

159 changes: 159 additions & 0 deletions ...ount-zone-delegation.js.snapshot/child-opt-in-stack-with-assume-role-region.template.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
{
"Resources": {
"SubZoneF7955E1A": {
"Type": "AWS::Route53::HostedZone",
"Properties": {
"Name": "sub3.uniqueexample.com."
}
},
"delegatecrossaccountzonedelegationhandlerrolePolicychildoptinstackwithassumeroleregiondelegatecrossaccountzonedelegationhandlerroleA822DAE1970772B0": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::12345678:role/MyUniqueDelegationRole"
}
],
"Version": "2012-10-17"
},
"PolicyName": "PolicychildoptinstackwithassumeroleregiondelegatecrossaccountzonedelegationhandlerroleA822DAE1",
"Roles": [
{
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Fn::GetAtt": [
"CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B",
"Arn"
]
}
]
}
]
}
]
}
]
}
]
}
},
"delegateCrossAccountZoneDelegationCustomResource23BD590B": {
"Type": "Custom::CrossAccountZoneDelegation",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265",
"Arn"
]
},
"AssumeRoleArn": "arn:aws:iam::12345678:role/MyUniqueDelegationRole",
"ParentZoneName": "uniqueexample.com",
"DelegatedZoneName": "sub3.uniqueexample.com",
"DelegatedZoneNameServers": {
"Fn::GetAtt": [
"SubZoneF7955E1A",
"NameServers"
]
},
"TTL": 172800,
"AssumeRoleRegion": "eu-west-1"
},
"DependsOn": [
"delegatecrossaccountzonedelegationhandlerrolePolicychildoptinstackwithassumeroleregiondelegatecrossaccountzonedelegationhandlerroleA822DAE1970772B0"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
]
},
"ManagedPolicyArns": [
{
"Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
]
}
},
"CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "cdk-hnb659fds-assets-234567890123-af-south-1",
"S3Key": "f43e5ef82b45e2e3ecb60cd54aa4a3599da7bb4c85d10cfe133dc43f54705458.zip"
},
"Timeout": 900,
"MemorySize": 128,
"Handler": "__entrypoint__.handler",
"Role": {
"Fn::GetAtt": [
"CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B",
"Arn"
]
},
"Runtime": "nodejs18.x"
},
"DependsOn": [
"CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B"
]
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}
10 changes: 5 additions & 5 deletions ...ute53/test/integ.cross-account-zone-delegation.js.snapshot/child-opt-in-stack.assets.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions ...e53/test/integ.cross-account-zone-delegation.js.snapshot/child-opt-in-stack.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"SubZoneF7955E1A": {
"Type": "AWS::Route53::HostedZone",
"Properties": {
"Name": "sub.uniqueexample.com."
"Name": "sub2.uniqueexample.com."
}
},
"delegatecrossaccountzonedelegationhandlerrolePolicychildoptinstackdelegatecrossaccountzonedelegationhandlerroleD1C6F26DE28FC01D": {
Expand Down Expand Up @@ -61,7 +61,7 @@
},
"AssumeRoleArn": "arn:aws:iam::12345678:role/MyUniqueDelegationRole",
"ParentZoneName": "uniqueexample.com",
"DelegatedZoneName": "sub.uniqueexample.com",
"DelegatedZoneName": "sub2.uniqueexample.com",
"DelegatedZoneNameServers": {
"Fn::GetAtt": [
"SubZoneF7955E1A",
Expand Down Expand Up @@ -103,7 +103,7 @@
"Properties": {
"Code": {
"S3Bucket": "cdk-hnb659fds-assets-234567890123-af-south-1",
"S3Key": "aca4a134bf7ace6088b21213be7ab4357e3705f714362b690d76376b8f1df53a.zip"
"S3Key": "f43e5ef82b45e2e3ecb60cd54aa4a3599da7bb4c85d10cfe133dc43f54705458.zip"
},
"Timeout": 900,
"MemorySize": 128,
Expand Down
10 changes: 5 additions & 5 deletions .../aws-route53/test/integ.cross-account-zone-delegation.js.snapshot/child-stack.assets.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion ...ws-route53/test/integ.cross-account-zone-delegation.js.snapshot/child-stack.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@
"Properties": {
"Code": {
"S3Bucket": "cdk-hnb659fds-assets-234567890123-us-east-1",
"S3Key": "aca4a134bf7ace6088b21213be7ab4357e3705f714362b690d76376b8f1df53a.zip"
"S3Key": "f43e5ef82b45e2e3ecb60cd54aa4a3599da7bb4c85d10cfe133dc43f54705458.zip"
},
"Timeout": 900,
"MemorySize": 128,
Expand Down
3 changes: 2 additions & 1 deletion ...rk-integ/test/aws-route53/test/integ.cross-account-zone-delegation.js.snapshot/integ.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit fe4bc1d

Please sign in to comment.