From 7c4ab5483332354113c58a8d36bb06d5d60bf798 Mon Sep 17 00:00:00 2001 From: Philipp Hoefflin Date: Fri, 18 Feb 2022 17:01:32 +0100 Subject: [PATCH] fix(route53): fix cross account delegation deployment dependency For each zone to delegate a policy is created and attached to the handler role. This change adds an explicit dependency between the policy attachment and the lambda handler to make sure the cross account delegation handler is not started before the policy is created and attached to the handler role. Signed-off-by: Philipp Hoefflin --- .../@aws-cdk/aws-route53/lib/record-set.ts | 8 ++- ...ross-account-zone-delegation.expected.json | 24 +++++---- .../aws-route53/test/record-set.test.ts | 51 ++++++++++--------- 3 files changed, 49 insertions(+), 34 deletions(-) diff --git a/packages/@aws-cdk/aws-route53/lib/record-set.ts b/packages/@aws-cdk/aws-route53/lib/record-set.ts index 823257f6fb576..a10cb05c37e67 100644 --- a/packages/@aws-cdk/aws-route53/lib/record-set.ts +++ b/packages/@aws-cdk/aws-route53/lib/record-set.ts @@ -690,13 +690,13 @@ export class CrossAccountZoneDelegationRecord extends CoreConstruct { const role = iam.Role.fromRoleArn(this, 'cross-account-zone-delegation-handler-role', provider.roleArn); - role.addToPrincipalPolicy(new iam.PolicyStatement({ + const addToPrinciplePolicyResult = role.addToPrincipalPolicy(new iam.PolicyStatement({ effect: iam.Effect.ALLOW, actions: ['sts:AssumeRole'], resources: [props.delegationRole.roleArn], })); - new CustomResource(this, 'CrossAccountZoneDelegationCustomResource', { + const customResource = new CustomResource(this, 'CrossAccountZoneDelegationCustomResource', { resourceType: CROSS_ACCOUNT_ZONE_DELEGATION_RESOURCE_TYPE, serviceToken: provider.serviceToken, removalPolicy: props.removalPolicy, @@ -709,5 +709,9 @@ export class CrossAccountZoneDelegationRecord extends CoreConstruct { TTL: (props.ttl || Duration.days(2)).toSeconds(), }, }); + + if (addToPrinciplePolicyResult.policyDependable) { + customResource.node.addDependency(addToPrinciplePolicyResult.policyDependable); + } } } diff --git a/packages/@aws-cdk/aws-route53/test/integ.cross-account-zone-delegation.expected.json b/packages/@aws-cdk/aws-route53/test/integ.cross-account-zone-delegation.expected.json index d5890cda1c955..3ad72296cd685 100644 --- a/packages/@aws-cdk/aws-route53/test/integ.cross-account-zone-delegation.expected.json +++ b/packages/@aws-cdk/aws-route53/test/integ.cross-account-zone-delegation.expected.json @@ -154,6 +154,9 @@ }, "TTL": 172800 }, + "DependsOn": [ + "DelegationWithZoneIdcrossaccountzonedelegationhandlerrolePolicy5170A69B" + ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, @@ -184,7 +187,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3Bucket200D9216" + "Ref": "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3BucketC1366C27" }, "S3Key": { "Fn::Join": [ @@ -197,7 +200,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3VersionKey0E5C26F0" + "Ref": "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3VersionKeyEE72CEF8" } ] } @@ -210,7 +213,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3VersionKey0E5C26F0" + "Ref": "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3VersionKeyEE72CEF8" } ] } @@ -315,22 +318,25 @@ }, "TTL": 172800 }, + "DependsOn": [ + "DelegationWithZoneNamecrossaccountzonedelegationhandlerrolePolicy86996882" + ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" } }, "Parameters": { - "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3Bucket200D9216": { + "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3BucketC1366C27": { "Type": "String", - "Description": "S3 bucket for asset \"d17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602\"" + "Description": "S3 bucket for asset \"7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8a\"" }, - "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602S3VersionKey0E5C26F0": { + "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aS3VersionKeyEE72CEF8": { "Type": "String", - "Description": "S3 key for asset version \"d17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602\"" + "Description": "S3 key for asset version \"7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8a\"" }, - "AssetParametersd17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602ArtifactHash37FB4D0C": { + "AssetParameters7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8aArtifactHashAADF3168": { "Type": "String", - "Description": "Artifact hash for asset \"d17df4f90e07a972e8f7b00dddbae8e3eba45a212226d2b714dcd28dded69602\"" + "Description": "Artifact hash for asset \"7625bcc3bbd65c490a92d42790a563e31dc02c18006ef272338c8c788849bb8a\"" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-route53/test/record-set.test.ts b/packages/@aws-cdk/aws-route53/test/record-set.test.ts index a48cb07bb5ab0..fbf3d56517d3b 100644 --- a/packages/@aws-cdk/aws-route53/test/record-set.test.ts +++ b/packages/@aws-cdk/aws-route53/test/record-set.test.ts @@ -737,33 +737,38 @@ describe('record set', () => { // THEN const childHostedZones = [ - { name: 'sub.myzone.com', id: 'ChildHostedZone4B14AC71' }, - { name: 'anothersub.myzone.com', id: 'ChildHostedZone2A37198F0' }, + { name: 'sub.myzone.com', id: 'ChildHostedZone4B14AC71', dependsOn: 'DelegationcrossaccountzonedelegationhandlerrolePolicy1E157602' }, + { name: 'anothersub.myzone.com', id: 'ChildHostedZone2A37198F0', dependsOn: 'Delegation2crossaccountzonedelegationhandlerrolePolicy713BEAC3' }, ]; for (var childHostedZone of childHostedZones) { - Template.fromStack(stack).hasResourceProperties('Custom::CrossAccountZoneDelegation', { - ServiceToken: { - 'Fn::GetAtt': [ - 'CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265', - 'Arn', - ], - }, - AssumeRoleArn: { - 'Fn::GetAtt': [ - 'ParentHostedZoneCrossAccountZoneDelegationRole95B1C36E', - 'Arn', - ], - }, - ParentZoneName: 'myzone.com', - DelegatedZoneName: childHostedZone.name, - DelegatedZoneNameServers: { - 'Fn::GetAtt': [ - childHostedZone.id, - 'NameServers', - ], + Template.fromStack(stack).hasResource('Custom::CrossAccountZoneDelegation', { + Properties: { + ServiceToken: { + 'Fn::GetAtt': [ + 'CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265', + 'Arn', + ], + }, + AssumeRoleArn: { + 'Fn::GetAtt': [ + 'ParentHostedZoneCrossAccountZoneDelegationRole95B1C36E', + 'Arn', + ], + }, + ParentZoneName: 'myzone.com', + DelegatedZoneName: childHostedZone.name, + DelegatedZoneNameServers: { + 'Fn::GetAtt': [ + childHostedZone.id, + 'NameServers', + ], + }, + TTL: 60, }, - TTL: 60, + DependsOn: [ + childHostedZone.dependsOn, + ], }); } });