search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.59k stars 3.89k forks source link

(route53): cross account zone delegations of more than one zone fail #17836

Closed phoefflin closed 2 years ago

phoefflin commented 2 years ago

What is the problem?

trying to delegate more than one subzone to zones in other aws accounts fails

Reproduction Steps

  1. create parent zones cdk app in _parent_zoneaccount

change principle to _sub_zoneaccount principle, deploy and get roleArns from stack outputs

import * as iam from '@aws-cdk/aws-iam';
import * as route53 from '@aws-cdk/aws-route53';
import { Construct, CfnOutput, Stack, StackProps } from '@aws-cdk/core';

export class ParentZonesStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const crossAccountZoneDelegationPrincipal = new iam.AccountPrincipal('111111111111')

    const parentZone1 = new route53.PublicHostedZone(this, 'HostedZone1', {
      zoneName: 'domain1.com',
      crossAccountZoneDelegationPrincipal,
    });

    const parentZone2 = new route53.PublicHostedZone(this, 'HostedZone2', {
      zoneName: 'domain2.com',
      crossAccountZoneDelegationPrincipal,
    });

    new CfnOutput(this, 'zone1RoleArn', { value: parentZone1.crossAccountZoneDelegationRole?.roleArn || '' });
    new CfnOutput(this, 'zone2RoleArn', { value: parentZone2.crossAccountZoneDelegationRole?.roleArn || '' });
  }
}
  1. deploy subzones app in _sub_zoneaccount

update roleArns and deploy cdk app

import * as cdk from '@aws-cdk/core';
import * as iam from '@aws-cdk/aws-iam';
import * as route53 from '@aws-cdk/aws-route53';

export class SubZonesStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const zone1RoleArn = '<arn1 from stack output>'
    const zone2RoleArn = '<arn2 from stack output>'

    new Zone(this, 'zone1', {
      name: 'domain1.com',
      arn: zone1RoleArn,
    })
    new Zone(this, 'zone2', {
      name: 'domain2.com',
      arn: zone2RoleArn,
    })

  }
}

export class Zone extends cdk.Construct {
  public constructor(scope: cdk.Construct, id: string, props: {arn: string, name: string}) {
    super(scope, id);

    const {arn, name} = props
    const role = iam.Role.fromRoleArn(this, `role${name}`, arn);
    const subZone = new route53.PublicHostedZone(this, `zone${name}`, {
      zoneName: `sub.${name}`,
    });
    new route53.CrossAccountZoneDelegationRecord(this, `delegate${name}`, {
      delegatedZone: subZone,
      parentHostedZoneName: name,
      delegationRole: role,
    });
  }
}

What did you expect to happen?

I expected both delegation NS records to be created in both parent zones

What actually happened?

the subZone stack failed with an Access denied error


6:39:34 PM | CREATE_FAILED        | Custom::CrossAccountZoneDelegation | zone2/delegatedoma...omResource/Default
Received response status [FAILED] from custom resource. Message returned: AccessDenied: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/SubZonesStack-CustomCrossAccountZoneDelegationCust-TL400
5A93THW/SubZonesStack-CustomCrossAccountZoneDelegationCust-aHcKaNjM2AZe is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXX:role/ParentZonesStack-HostedZone2
CrossAccountZoneDelega-HKID8J9JJRWB
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) (RequestId: a470258f-86af-4521-ac52-8ca4fc610846)

CDK CLI Version

1.134.0 (build dd5e12d)

Framework Version

1.134.0

Node.js Version

v14.18.1

OS

linux

Language

Typescript

Language Version

No response

Other information

No response

github-actions[bot] commented 2 years ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.