fix(route53): fix cross account delegation deployment dependency (#19047

)

For each zone to delegate a policy is created and attached to the
handler role. This change adds an explicit dependency between the policy
attachment and the lambda handler to make sure the cross account
delegation handler is not started before the policy is created and
attached to the handler role.

fixes: #19041 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-route53/lib/record-set.ts

@@ -690,13 +690,13 @@ export class CrossAccountZoneDelegationRecord extends CoreConstruct {
 
     const role = iam.Role.fromRoleArn(this, 'cross-account-zone-delegation-handler-role', provider.roleArn);
 
-    role.addToPrincipalPolicy(new iam.PolicyStatement({
+    const addToPrinciplePolicyResult = role.addToPrincipalPolicy(new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['sts:AssumeRole'],
       resources: [props.delegationRole.roleArn],
     }));
 
-    new CustomResource(this, 'CrossAccountZoneDelegationCustomResource', {
+    const customResource = new CustomResource(this, 'CrossAccountZoneDelegationCustomResource', {
       resourceType: CROSS_ACCOUNT_ZONE_DELEGATION_RESOURCE_TYPE,
       serviceToken: provider.serviceToken,
       removalPolicy: props.removalPolicy,
@@ -709,5 +709,9 @@ export class CrossAccountZoneDelegationRecord extends CoreConstruct {
         TTL: (props.ttl || Duration.days(2)).toSeconds(),
       },
     });
+
+    if (addToPrinciplePolicyResult.policyDependable) {
+      customResource.node.addDependency(addToPrinciplePolicyResult.policyDependable);
+    }
   }
 }

packages/@aws-cdk/aws-route53/test/integ.cross-account-zone-delegation.expected.json

@@ -154,6 +154,9 @@
         },
         "TTL": 172800
       },
+      "DependsOn": [
+        "DelegationWithZoneIdcrossaccountzonedelegationhandlerrolePolicy5170A69B"
+      ],
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete"
     },
@@ -184,7 +187,7 @@
       "Properties": {
         "Code": {
           "S3Bucket": {
-            "Ref": "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3Bucket200D9216"
+            "Ref": "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3BucketC1366C27"
           },
           "S3Key": {
             "Fn::Join": [
@@ -197,7 +200,7 @@
                       "Fn::Split": [
                         "||",
                         {
-                          "Ref": "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3VersionKey0E5C26F0"
+                          "Ref": "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3VersionKeyEE72CEF8"
                         }
                       ]
                     }
@@ -210,7 +213,7 @@
                       "Fn::Split": [
                         "||",
                         {
-                          "Ref": "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3VersionKey0E5C26F0"
+                          "Ref": "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3VersionKeyEE72CEF8"
                         }
                       ]
                     }
@@ -315,22 +318,25 @@
         },
         "TTL": 172800
       },
+      "DependsOn": [
+        "DelegationWithZoneNamecrossaccountzonedelegationhandlerrolePolicy86996882"
+      ],
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete"
     }
   },
   "Parameters": {
-    "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3Bucket200D9216": {
+    "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3BucketC1366C27": {
       "Type": "String",
-      "Description": "S3 bucket for asset \"d17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602\""
+      "Description": "S3 bucket for asset \"7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8a\""
     },
-    "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3VersionKey0E5C26F0": {
+    "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3VersionKeyEE72CEF8": {
       "Type": "String",
-      "Description": "S3 key for asset version \"d17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602\""
+      "Description": "S3 key for asset version \"7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8a\""
     },
-    "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602ArtifactHash37FB4D0C": {
+    "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aArtifactHashAADF3168": {
       "Type": "String",
-      "Description": "Artifact hash for asset \"d17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602\""
+      "Description": "Artifact hash for asset \"7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8a\""
     }
   }
 }

packages/@aws-cdk/aws-route53/test/record-set.test.ts

@@ -737,33 +737,38 @@ describe('record set', () => {
 
     // THEN
     const childHostedZones = [
-      { name: 'sub.myzone.com', id: 'ChildHostedZone4B14AC71' },
-      { name: 'anothersub.myzone.com', id: 'ChildHostedZone2A37198F0' },
+      { name: 'sub.myzone.com', id: 'ChildHostedZone4B14AC71', dependsOn: 'DelegationcrossaccountzonedelegationhandlerrolePolicy1E157602' },
+      { name: 'anothersub.myzone.com', id: 'ChildHostedZone2A37198F0', dependsOn: 'Delegation2crossaccountzonedelegationhandlerrolePolicy713BEAC3' },
     ];
 
     for (var childHostedZone of childHostedZones) {
-      Template.fromStack(stack).hasResourceProperties('Custom::CrossAccountZoneDelegation', {
-        ServiceToken: {
-          'Fn::GetAtt': [
-            'CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265',
-            'Arn',
-          ],
-        },
-        AssumeRoleArn: {
-          'Fn::GetAtt': [
-            'ParentHostedZoneCrossAccountZoneDelegationRole95B1C36E',
-            'Arn',
-          ],
-        },
-        ParentZoneName: 'myzone.com',
-        DelegatedZoneName: childHostedZone.name,
-        DelegatedZoneNameServers: {
-          'Fn::GetAtt': [
-            childHostedZone.id,
-            'NameServers',
-          ],
+      Template.fromStack(stack).hasResource('Custom::CrossAccountZoneDelegation', {
+        Properties: {
+          ServiceToken: {
+            'Fn::GetAtt': [
+              'CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265',
+              'Arn',
+            ],
+          },
+          AssumeRoleArn: {
+            'Fn::GetAtt': [
+              'ParentHostedZoneCrossAccountZoneDelegationRole95B1C36E',
+              'Arn',
+            ],
+          },
+          ParentZoneName: 'myzone.com',
+          DelegatedZoneName: childHostedZone.name,
+          DelegatedZoneNameServers: {
+            'Fn::GetAtt': [
+              childHostedZone.id,
+              'NameServers',
+            ],
+          },
+          TTL: 60,
         },
-        TTL: 60,
+        DependsOn: [
+          childHostedZone.dependsOn,
+        ],
       });
     }
   });