Closed phoefflin closed 2 years ago
To my understanding the problem is that we are missing a dependency between the policy statement that is attached to the handler role (https://github.com/phoefflin/aws-cdk/blob/76b5c0d12e1e692efcf6a557ee4ddb6df3709e4d/packages/%40aws-cdk/aws-route53/lib/record-set.ts#L693) and the custom resource (https://github.com/phoefflin/aws-cdk/blob/76b5c0d12e1e692efcf6a557ee4ddb6df3709e4d/packages/%40aws-cdk/aws-route53/lib/record-set.ts#L699).
When additional zones are delegated the custom resource handler is triggered while the policy is still being created and therefore fails with an access denied error.
The solution could look something like that but unfortunately I currently fail to get a local build up for verification: https://github.com/phoefflin/aws-cdk/commit/7c4ab5483332354113c58a8d36bb06d5d60bf798
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
What is the problem?
Cross account zone delegation sometimes fails with an Access Denied error.
Reproduction Steps
parent_zone_account
change principle to
sub_zone_account
principle, deploy and get roleArns from stack outputsparent_zone_account
and delegate only one zone to the corresponding parent zoneupdate roleArns and deploy cdk app
rerun stack 2) with variable DELEGATE_ZONE2 set (ex:
DELEGATE_ZONE2=true npm run cdk deploy
What did you expect to happen?
I expected both delegation NS records to be created in both parent zones
What actually happened?
Step 3) fails with an Access denied error:
CDK CLI Version
2.12.0 (build c9786db)
Framework Version
2.12.0
Node.js Version
v16.13.2
OS
linux
Language
Typescript
Language Version
3.9.10
Other information
No response