fix(route53): support multiple cross account DNS delegations (#17837)

phoefflin · web-flow · commit 76b5c0d12e1e · 2022-01-05T10:36:40.000Z
the custom resource lambda function's role is only created once. To support multiple zone delegations the role creation and policy management needs to be decoupled so each CrossAccountZoneDelegationRecord instance can add an individual policy to the role. Fixes #17836 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-route53/lib/record-set.ts b/packages/@aws-cdk/aws-route53/lib/record-set.ts
@@ -683,15 +683,22 @@ export class CrossAccountZoneDelegationRecord extends CoreConstruct {
       throw Error('Only one of parentHostedZoneName and parentHostedZoneId is supported');
     }
 
-    const serviceToken = CustomResourceProvider.getOrCreate(this, CROSS_ACCOUNT_ZONE_DELEGATION_RESOURCE_TYPE, {
+    const provider = CustomResourceProvider.getOrCreateProvider(this, CROSS_ACCOUNT_ZONE_DELEGATION_RESOURCE_TYPE, {
       codeDirectory: path.join(__dirname, 'cross-account-zone-delegation-handler'),
       runtime: CustomResourceProviderRuntime.NODEJS_12_X,
-      policyStatements: [{ Effect: 'Allow', Action: 'sts:AssumeRole', Resource: props.delegationRole.roleArn }],
     });
 
+    const role = iam.Role.fromRoleArn(this, 'cross-account-zone-delegation-handler-role', provider.roleArn);
+
+    role.addToPrincipalPolicy(new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: ['sts:AssumeRole'],
+      resources: [props.delegationRole.roleArn],
+    }));
+
     new CustomResource(this, 'CrossAccountZoneDelegationCustomResource', {
       resourceType: CROSS_ACCOUNT_ZONE_DELEGATION_RESOURCE_TYPE,
-      serviceToken,
+      serviceToken: provider.serviceToken,
       removalPolicy: props.removalPolicy,
       properties: {
         AssumeRoleArn: props.delegationRole.roleArn,
diff --git a/packages/@aws-cdk/aws-route53/test/integ.cross-account-zone-delegation.expected.json b/packages/@aws-cdk/aws-route53/test/integ.cross-account-zone-delegation.expected.json
@@ -78,6 +78,55 @@
         "Name": "sub.myzone.com."
       }
     },
+    "DelegationWithZoneIdcrossaccountzonedelegationhandlerrolePolicy5170A69B": {
+      "Type": "AWS::IAM::Policy",
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::GetAtt": [
+                  "ParentHostedZoneCrossAccountZoneDelegationRole95B1C36E",
+                  "Arn"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "PolicyName": "DelegationWithZoneIdcrossaccountzonedelegationhandlerrolePolicy5170A69B",
+        "Roles": [
+          {
+            "Fn::Select": [
+              1,
+              {
+                "Fn::Split": [
+                  "/",
+                  {
+                    "Fn::Select": [
+                      5,
+                      {
+                        "Fn::Split": [
+                          ":",
+                          {
+                            "Fn::GetAtt": [
+                              "CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B",
+                              "Arn"
+                            ]
+                          }
+                        ]
+                      }
+                    ]
+                  }
+                ]
+              }
+            ]
+          }
+        ]
+      }
+    },
     "DelegationWithZoneIdCrossAccountZoneDelegationCustomResourceFFD766E7": {
       "Type": "Custom::CrossAccountZoneDelegation",
       "Properties": {
@@ -127,26 +176,6 @@
           {
             "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
           }
-        ],
-        "Policies": [
-          {
-            "PolicyName": "Inline",
-            "PolicyDocument": {
-              "Version": "2012-10-17",
-              "Statement": [
-                {
-                  "Effect": "Allow",
-                  "Action": "sts:AssumeRole",
-                  "Resource": {
-                    "Fn::GetAtt": [
-                      "ParentHostedZoneCrossAccountZoneDelegationRole95B1C36E",
-                      "Arn"
-                    ]
-                  }
-                }
-              ]
-            }
-          }
         ]
       }
     },
@@ -212,6 +241,55 @@
         "Name": "anothersub.myzone.com."
       }
     },
+    "DelegationWithZoneNamecrossaccountzonedelegationhandlerrolePolicy86996882": {
+      "Type": "AWS::IAM::Policy",
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::GetAtt": [
+                  "ParentHostedZoneCrossAccountZoneDelegationRole95B1C36E",
+                  "Arn"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "PolicyName": "DelegationWithZoneNamecrossaccountzonedelegationhandlerrolePolicy86996882",
+        "Roles": [
+          {
+            "Fn::Select": [
+              1,
+              {
+                "Fn::Split": [
+                  "/",
+                  {
+                    "Fn::Select": [
+                      5,
+                      {
+                        "Fn::Split": [
+                          ":",
+                          {
+                            "Fn::GetAtt": [
+                              "CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B",
+                              "Arn"
+                            ]
+                          }
+                        ]
+                      }
+                    ]
+                  }
+                ]
+              }
+            ]
+          }
+        ]
+      }
+    },
     "DelegationWithZoneNameCrossAccountZoneDelegationCustomResourceA1A1C94A": {
       "Type": "Custom::CrossAccountZoneDelegation",
       "Properties": {
diff --git a/packages/@aws-cdk/aws-route53/test/record-set.test.ts b/packages/@aws-cdk/aws-route53/test/record-set.test.ts
@@ -732,4 +732,137 @@ describe('record set', () => {
 
 
   });
+
+  test('Multiple cross account zone delegation records', () => {
+    // GIVEN
+    const stack = new Stack();
+    const parentZone = new route53.PublicHostedZone(stack, 'ParentHostedZone', {
+      zoneName: 'myzone.com',
+      crossAccountZoneDelegationPrincipal: new iam.AccountPrincipal('123456789012'),
+    });
+
+    // WHEN
+    const childZone = new route53.PublicHostedZone(stack, 'ChildHostedZone', {
+      zoneName: 'sub.myzone.com',
+    });
+    new route53.CrossAccountZoneDelegationRecord(stack, 'Delegation', {
+      delegatedZone: childZone,
+      parentHostedZoneName: 'myzone.com',
+      delegationRole: parentZone.crossAccountZoneDelegationRole!,
+      ttl: Duration.seconds(60),
+    });
+    const childZone2 = new route53.PublicHostedZone(stack, 'ChildHostedZone2', {
+      zoneName: 'anothersub.myzone.com',
+    });
+    new route53.CrossAccountZoneDelegationRecord(stack, 'Delegation2', {
+      delegatedZone: childZone2,
+      parentHostedZoneName: 'myzone.com',
+      delegationRole: parentZone.crossAccountZoneDelegationRole!,
+      ttl: Duration.seconds(60),
+    });
+
+    // THEN
+    const childHostedZones = [
+      { name: 'sub.myzone.com', id: 'ChildHostedZone4B14AC71' },
+      { name: 'anothersub.myzone.com', id: 'ChildHostedZone2A37198F0' },
+    ];
+
+    for (var childHostedZone of childHostedZones) {
+      expect(stack).toHaveResource('Custom::CrossAccountZoneDelegation', {
+        ServiceToken: {
+          'Fn::GetAtt': [
+            'CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265',
+            'Arn',
+          ],
+        },
+        AssumeRoleArn: {
+          'Fn::GetAtt': [
+            'ParentHostedZoneCrossAccountZoneDelegationRole95B1C36E',
+            'Arn',
+          ],
+        },
+        ParentZoneName: 'myzone.com',
+        DelegatedZoneName: childHostedZone.name,
+        DelegatedZoneNameServers: {
+          'Fn::GetAtt': [
+            childHostedZone.id,
+            'NameServers',
+          ],
+        },
+        TTL: 60,
+      });
+    }
+  });
+
+  test('Cross account zone delegation policies', () => {
+    // GIVEN
+    const stack = new Stack();
+    const parentZone = new route53.PublicHostedZone(stack, 'ParentHostedZone', {
+      zoneName: 'myzone.com',
+      crossAccountZoneDelegationPrincipal: new iam.AccountPrincipal('123456789012'),
+    });
+
+    // WHEN
+    const childZone = new route53.PublicHostedZone(stack, 'ChildHostedZone', {
+      zoneName: 'sub.myzone.com',
+    });
+    new route53.CrossAccountZoneDelegationRecord(stack, 'Delegation', {
+      delegatedZone: childZone,
+      parentHostedZoneName: 'myzone.com',
+      delegationRole: parentZone.crossAccountZoneDelegationRole!,
+      ttl: Duration.seconds(60),
+    });
+    const childZone2 = new route53.PublicHostedZone(stack, 'ChildHostedZone2', {
+      zoneName: 'anothersub.myzone.com',
+    });
+    new route53.CrossAccountZoneDelegationRecord(stack, 'Delegation2', {
+      delegatedZone: childZone2,
+      parentHostedZoneName: 'myzone.com',
+      delegationRole: parentZone.crossAccountZoneDelegationRole!,
+      ttl: Duration.seconds(60),
+    });
+
+    // THEN
+    const policyNames = [
+      'DelegationcrossaccountzonedelegationhandlerrolePolicy1E157602',
+      'Delegation2crossaccountzonedelegationhandlerrolePolicy713BEAC3',
+    ];
+
+    for (var policyName of policyNames) {
+      expect(stack).toHaveResource('AWS::IAM::Policy', {
+        PolicyName: policyName,
+        PolicyDocument: {
+          Version: '2012-10-17',
+          Statement: [
+            {
+              Action: 'sts:AssumeRole',
+              Effect: 'Allow',
+              Resource: {
+                'Fn::GetAtt': [
+                  'ParentHostedZoneCrossAccountZoneDelegationRole95B1C36E',
+                  'Arn',
+                ],
+              },
+            },
+          ],
+        },
+        Roles: [
+          {
+            'Fn::Select': [1, {
+              'Fn::Split': ['/', {
+                'Fn::Select': [5, {
+                  'Fn::Split': [':', {
+                    'Fn::GetAtt': [
+                      'CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B',
+                      'Arn',
+                    ],
+                  }],
+                }],
+              }],
+            }],
+          },
+        ],
+      });
+    }
+  });
 });
