Closed ben851 closed 1 week ago
To accomplish the above, we will need to create an IAM role in the Canadian Digital Services AWS account. The IAM policy will need to have the following:
The policy code for part 1 will look similar to:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets",
"route53:GetChange"
],
"Effect": "Allow",
"Resource": "arn:aws:route53:::hostedzone/HOSTED_ZONE_ID_FOR_NOTIFICATION_CANADA_CA"
},
{
"Action": [
"route53:ListHostedZones",
"route53:GetHostedZoneCount",
"route53:ListHostedZonesByName"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
For the second part, we will need to modify the notification_apply_oidc role to contain the following:
data "aws_iam_policy_document" "assume_dns_manager" {
statement {
sid = "AssumeProdDNSManagerRoles"
actions = [
"sts:AssumeRole",
]
resources = [
"arn:aws:iam::CanadianDigitalServicesAWSAccountID:role/prod_dns_manager"
]
}
}
resource "aws_iam_policy" "assume_prod_dns_manager" {
name = terrafrom_apply_oidc_role
policy = data.aws_iam_policy_document.assume_dns_manager.json
}
resource "aws_iam_role_policy_attachment" "assume_prod_dns_manager" {
role = terrafrom_apply_oidc_role
policy_arn = aws_iam_policy.assume_prod_dns_manager.arn
}
PR has been created to address this issue here - https://github.com/cds-snc/dns/pull/397
We would like to take over managing notification.canada.ca using our own terraform repository. Would it be possible to provide write access to the
notification.canada.ca
route53 zone in the CDS DNS AWS account to:Notify Core Team: @cds-snc/notify-core
Additionally, the
notification-production
account will need IAM roles it can assume to manage the hosted zone records as part of thecds-snc/notification-terraform
workflows. Two roles will be needed: