fix(route53): fix cross account delegation deployment dependency (#19047)

phoefflin · web-flow · commit 692a0d06f286 · 2022-02-21T01:34:29.000Z
For each zone to delegate a policy is created and attached to the handler role. This change adds an explicit dependency between the policy attachment and the lambda handler to make sure the cross account delegation handler is not started before the policy is created and attached to the handler role. fixes: #19041 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-route53/lib/record-set.ts b/packages/@aws-cdk/aws-route53/lib/record-set.ts
@@ -690,13 +690,13 @@ export class CrossAccountZoneDelegationRecord extends CoreConstruct {
 
     const role = iam.Role.fromRoleArn(this, 'cross-account-zone-delegation-handler-role', provider.roleArn);
 
-    role.addToPrincipalPolicy(new iam.PolicyStatement({
+    const addToPrinciplePolicyResult = role.addToPrincipalPolicy(new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['sts:AssumeRole'],
       resources: [props.delegationRole.roleArn],
     }));
 
-    new CustomResource(this, 'CrossAccountZoneDelegationCustomResource', {
+    const customResource = new CustomResource(this, 'CrossAccountZoneDelegationCustomResource', {
       resourceType: CROSS_ACCOUNT_ZONE_DELEGATION_RESOURCE_TYPE,
       serviceToken: provider.serviceToken,
       removalPolicy: props.removalPolicy,
@@ -709,5 +709,9 @@ export class CrossAccountZoneDelegationRecord extends CoreConstruct {
         TTL: (props.ttl || Duration.days(2)).toSeconds(),
       },
     });
+
+    if (addToPrinciplePolicyResult.policyDependable) {
+      customResource.node.addDependency(addToPrinciplePolicyResult.policyDependable);
+    }
   }
 }
diff --git a/packages/@aws-cdk/aws-route53/test/integ.cross-account-zone-delegation.expected.json b/packages/@aws-cdk/aws-route53/test/integ.cross-account-zone-delegation.expected.json
@@ -154,6 +154,9 @@
         },
         "TTL": 172800
       },
+      "DependsOn": [
+        "DelegationWithZoneIdcrossaccountzonedelegationhandlerrolePolicy5170A69B"
+      ],
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete"
     },
@@ -184,7 +187,7 @@
       "Properties": {
         "Code": {
           "S3Bucket": {
-            "Ref": "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3Bucket200D9216"
+            "Ref": "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3BucketC1366C27"
           },
           "S3Key": {
             "Fn::Join": [
@@ -197,7 +200,7 @@
                       "Fn::Split": [
                         "||",
                         {
-                          "Ref": "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3VersionKey0E5C26F0"
+                          "Ref": "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3VersionKeyEE72CEF8"
                         }
                       ]
                     }
@@ -210,7 +213,7 @@
                       "Fn::Split": [
                         "||",
                         {
-                          "Ref": "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3VersionKey0E5C26F0"
+                          "Ref": "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3VersionKeyEE72CEF8"
                         }
                       ]
                     }
@@ -315,22 +318,25 @@
         },
         "TTL": 172800
       },
+      "DependsOn": [
+        "DelegationWithZoneNamecrossaccountzonedelegationhandlerrolePolicy86996882"
+      ],
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete"
     }
   },
   "Parameters": {
-    "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3Bucket200D9216": {
+    "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3BucketC1366C27": {
       "Type": "String",
-      "Description": "S3 bucket for asset \"d17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602\""
+      "Description": "S3 bucket for asset \"7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8a\""
     },
-    "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3VersionKey0E5C26F0": {
+    "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3VersionKeyEE72CEF8": {
       "Type": "String",
-      "Description": "S3 key for asset version \"d17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602\""
+      "Description": "S3 key for asset version \"7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8a\""
     },
-    "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602ArtifactHash37FB4D0C": {
+    "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aArtifactHashAADF3168": {
       "Type": "String",
-      "Description": "Artifact hash for asset \"d17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602\""
+      "Description": "Artifact hash for asset \"7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8a\""
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-route53/test/record-set.test.ts b/packages/@aws-cdk/aws-route53/test/record-set.test.ts
@@ -737,33 +737,38 @@ describe('record set', () => {
 
     // THEN
     const childHostedZones = [
-      { name: 'sub.myzone.com', id: 'ChildHostedZone4B14AC71' },
-      { name: 'anothersub.myzone.com', id: 'ChildHostedZone2A37198F0' },
+      { name: 'sub.myzone.com', id: 'ChildHostedZone4B14AC71', dependsOn: 'DelegationcrossaccountzonedelegationhandlerrolePolicy1E157602' },
+      { name: 'anothersub.myzone.com', id: 'ChildHostedZone2A37198F0', dependsOn: 'Delegation2crossaccountzonedelegationhandlerrolePolicy713BEAC3' },
     ];
 
     for (var childHostedZone of childHostedZones) {
-      Template.fromStack(stack).hasResourceProperties('Custom::CrossAccountZoneDelegation', {
-        ServiceToken: {
-          'Fn::GetAtt': [
-            'CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265',
-            'Arn',
-          ],
-        },
-        AssumeRoleArn: {
-          'Fn::GetAtt': [
-            'ParentHostedZoneCrossAccountZoneDelegationRole95B1C36E',
-            'Arn',
-          ],
-        },
-        ParentZoneName: 'myzone.com',
-        DelegatedZoneName: childHostedZone.name,
-        DelegatedZoneNameServers: {
-          'Fn::GetAtt': [
-            childHostedZone.id,
-            'NameServers',
-          ],
+      Template.fromStack(stack).hasResource('Custom::CrossAccountZoneDelegation', {
+        Properties: {
+          ServiceToken: {
+            'Fn::GetAtt': [
+              'CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265',
+              'Arn',
+            ],
+          },
+          AssumeRoleArn: {
+            'Fn::GetAtt': [
+              'ParentHostedZoneCrossAccountZoneDelegationRole95B1C36E',
+              'Arn',
+            ],
+          },
+          ParentZoneName: 'myzone.com',
+          DelegatedZoneName: childHostedZone.name,
+          DelegatedZoneNameServers: {
+            'Fn::GetAtt': [
+              childHostedZone.id,
+              'NameServers',
+            ],
+          },
+          TTL: 60,
         },
-        TTL: 60,
+        DependsOn: [
+          childHostedZone.dependsOn,
+        ],
       });
     }
   });
