New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(route53): support multiple cross account DNS delegations #17837
Conversation
create individual policies for each delegated zone and add them individually to the singleton lambda function role. fixes aws#17836
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this contribution!
The change as-is looks great. Can you just add a unit test for the new behavior?
Pull request has been modified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
@phoefflin @njlynch upon upgrading to |
@ckifer I also have some sporadic issue in v2.12 when adding additional zones. I have the feeling it could be a dependency issue that the custom resource lambda is running before the additional policy is added to the lambda role (see https://github.com/phoefflin/aws-cdk/blob/master/packages/%40aws-cdk/aws-route53/lib/record-set.ts#L699). I'm trying to verify. |
@phoefflin I have two uses of this Construct in different child accounts with the same parent account but different roles.
The setup is exactly the same for them both so I'm not sure whats going on here but its definitely being flaky. Pre-change we have an inline policy on the custom resource with my parent account role Arn, post-change we have a ref to a role but I think you're right it doesn't resolve on time. |
the custom resource lambda function's role is only created once. To support multiple zone delegations the role creation and policy management needs to be decoupled so each CrossAccountZoneDelegationRecord instance can add an individual policy to the role. Fixes aws#17836 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
the custom resource lambda function's role is only created once. To support multiple zone delegations the role creation and policy management needs to be decoupled so each CrossAccountZoneDelegationRecord instance can add an individual policy to the role.
Fixes #17836
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license