New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(route53): cross account zone delegation fails sometimes #19041
Comments
To my understanding the problem is that we are missing a dependency between the policy statement that is attached to the handler role (https://github.com/phoefflin/aws-cdk/blob/76b5c0d12e1e692efcf6a557ee4ddb6df3709e4d/packages/%40aws-cdk/aws-route53/lib/record-set.ts#L693) and the custom resource (https://github.com/phoefflin/aws-cdk/blob/76b5c0d12e1e692efcf6a557ee4ddb6df3709e4d/packages/%40aws-cdk/aws-route53/lib/record-set.ts#L699). When additional zones are delegated the custom resource handler is triggered while the policy is still being created and therefore fails with an access denied error. The solution could look something like that but unfortunately I currently fail to get a local build up for verification: |
) For each zone to delegate a policy is created and attached to the handler role. This change adds an explicit dependency between the policy attachment and the lambda handler to make sure the cross account delegation handler is not started before the policy is created and attached to the handler role. fixes: #19041 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…#19047) For each zone to delegate a policy is created and attached to the handler role. This change adds an explicit dependency between the policy attachment and the lambda handler to make sure the cross account delegation handler is not started before the policy is created and attached to the handler role. fixes: aws#19041 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
What is the problem?
Cross account zone delegation sometimes fails with an Access Denied error.
Reproduction Steps
parent_zone_account
change principle to
sub_zone_account
principle, deploy and get roleArns from stack outputsparent_zone_account
and delegate only one zone to the corresponding parent zoneupdate roleArns and deploy cdk app
rerun stack 2) with variable DELEGATE_ZONE2 set (ex:
DELEGATE_ZONE2=true npm run cdk deploy
What did you expect to happen?
I expected both delegation NS records to be created in both parent zones
What actually happened?
Step 3) fails with an Access denied error:
CDK CLI Version
2.12.0 (build c9786db)
Framework Version
2.12.0
Node.js Version
v16.13.2
OS
linux
Language
Typescript
Language Version
3.9.10
Other information
No response
The text was updated successfully, but these errors were encountered: