add nameEquals option to grantDelegation

Author: Kasra-G

packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.js.snapshot/integ.json

@@ -679,6 +679,11 @@
          "route53:ChangeResourceRecordSetsActions": [
           "UPSERT",
           "DELETE"
+         ],
+         "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
+          "sub.uniqueexample.com",
+          "sub2.uniqueexample.com",
+          "sub3.uniqueexample.com"
          ]
         }
        },
@@ -746,4 +751,4 @@
    ]
   }
  }
-}
+}

packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.js.snapshot/parent-stack.template.json

@@ -58,7 +58,13 @@ class ParentStack extends cdk.Stack {
       roleName: delegationRoleName,
       assumedBy: new iam.AccountPrincipal(crossAccount),
     });
-    parentZone.grantDelegation(crossAccountRole);
+    parentZone.grantDelegation(crossAccountRole, {
+      nameEquals: [
+        'sub.uniqueexample.com',
+        'sub2.uniqueexample.com',
+        'sub3.uniqueexample.com',
+      ],
+    });
   }
 }
 
@@ -130,6 +136,6 @@ childOptInStack.addDependency(parentStack);
 childOptInStackWithAssumeRoleRegion.addDependency(parentStack);
 
 new IntegTest(app, 'Route53CrossAccountInteg', {
-  testCases: [childStack, childOptInStack, childOptInStackWithAssumeRoleRegion],
+  testCases: [childStack, childOptInStack, childOptInStackWithAssumeRoleRegion, parentStack],
   diffAssets: true,
 });

packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.ts

@@ -343,40 +343,31 @@ const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
   roleName: 'MyDelegationRole',
   // The other account
   assumedBy: new iam.AccountPrincipal('12345678901'),
-  // You can scope down this role policy to be least privileged.
-  // If you want the other account to be able to manage specific records,
-  // you can scope down by resource and/or normalized record names
-  inlinePolicies: {
-    crossAccountPolicy: new iam.PolicyDocument({
-      statements: [
-        new iam.PolicyStatement({
-          sid: 'ListHostedZonesByName',
-          effect: iam.Effect.ALLOW,
-          actions: ['route53:ListHostedZonesByName'],
-          resources: ['*'],
-        }),
-        new iam.PolicyStatement({
-          sid: 'GetHostedZoneAndChangeResourceRecordSets',
-          effect: iam.Effect.ALLOW,
-          actions: ['route53:GetHostedZone', 'route53:ChangeResourceRecordSets'],
-          // This example assumes the RecordSet subdomain.somexample.com
-          // is contained in the HostedZone
-          resources: ['arn:aws:route53:::hostedzone/HZID00000000000000000'],
-          conditions: {
-            'ForAllValues:StringLike': {
-              'route53:ChangeResourceRecordSetsNormalizedRecordNames': [
-                'subdomain.someexample.com',
-              ],
-            },
-          },
-        }),
-      ],
-    }),
-  },
 });
 parentZone.grantDelegation(crossAccountRole);
 ```
 
+To restrict the domain names that can be delegated with the IAM role, use the optional `nameEquals` property in the delegation options,
+which enforces the `route53:ChangeResourceRecordSetsNormalizedRecordNames` condition key.
+
+This allows you to follow the minimum privilege principle:
+
+```ts
+const parentZone = new route53.PublicHostedZone(this, 'HostedZone', {
+  zoneName: 'someexample.com',
+});
+
+declare const betaCrossAccountRole: iam.Role;
+parentZone.grantDelegation(betaCrossAccountRole, {
+    nameEquals: ['beta.someexample.com'],
+});
+
+declare const prodCrossAccountRole: iam.Role;
+parentZone.grantDelegation(prodCrossAccountRole, {
+    nameEquals: ['prod.someexample.com'],
+});
+```
+
 In the account containing the child zone to be delegated:
 
 ```ts

packages/aws-cdk-lib/aws-route53/README.md

@@ -37,7 +37,7 @@ export interface IHostedZone extends IResource {
   /**
    * Grant permissions to add delegation records to this zone
    */
-  grantDelegation(grantee: iam.IGrantable): iam.Grant;
+  grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant;
 }
 
 /**
@@ -59,3 +59,15 @@ export interface HostedZoneAttributes {
  * Reference to a public hosted zone
  */
 export interface PublicHostedZoneAttributes extends HostedZoneAttributes { }
+
+/**
+ * Options for the delegation permissions granted
+ */
+export interface GrantDelegationOptions {
+  /**
+   * List of NS record names to allowlist in the delegation permissions
+   *
+   * @default the grant does not restrict record name
+   */
+  readonly nameEquals?: string[];
+}

packages/aws-cdk-lib/aws-route53/lib/hosted-zone-ref.ts

@@ -1,6 +1,6 @@
 import { Construct } from 'constructs';
 import { HostedZoneProviderProps } from './hosted-zone-provider';
-import { HostedZoneAttributes, IHostedZone, PublicHostedZoneAttributes } from './hosted-zone-ref';
+import { GrantDelegationOptions, HostedZoneAttributes, IHostedZone, PublicHostedZoneAttributes } from './hosted-zone-ref';
 import { IKeySigningKey, KeySigningKey } from './key-signing-key';
 import { CaaAmazonRecord, ZoneDelegationRecord } from './record-set';
 import { CfnHostedZone, CfnDNSSEC, CfnKeySigningKey } from './route53.generated';
@@ -117,8 +117,8 @@ export class HostedZone extends Resource implements IHostedZone {
       public get hostedZoneArn(): string {
         return makeHostedZoneArn(this, this.hostedZoneId);
       }
-      public grantDelegation(grantee: iam.IGrantable): iam.Grant {
-        return makeGrantDelegation(grantee, this.hostedZoneArn);
+      public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant {
+        return makeGrantDelegation(grantee, this.hostedZoneArn, options);
       }
     }
 
@@ -141,8 +141,8 @@ export class HostedZone extends Resource implements IHostedZone {
       public get hostedZoneArn(): string {
         return makeHostedZoneArn(this, this.hostedZoneId);
       }
-      public grantDelegation(grantee: iam.IGrantable): iam.Grant {
-        return makeGrantDelegation(grantee, this.hostedZoneArn);
+      public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant {
+        return makeGrantDelegation(grantee, this.hostedZoneArn, options);
       }
     }
 
@@ -241,8 +241,8 @@ export class HostedZone extends Resource implements IHostedZone {
   }
 
   @MethodMetadata()
-  public grantDelegation(grantee: iam.IGrantable): iam.Grant {
-    return makeGrantDelegation(grantee, this.hostedZoneArn);
+  public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant {
+    return makeGrantDelegation(grantee, this.hostedZoneArn, options);
   }
 
   /**
@@ -345,8 +345,8 @@ export class PublicHostedZone extends HostedZone implements IPublicHostedZone {
       public get hostedZoneArn(): string {
         return makeHostedZoneArn(this, this.hostedZoneId);
       }
-      public grantDelegation(grantee: iam.IGrantable): iam.Grant {
-        return makeGrantDelegation(grantee, this.hostedZoneArn);
+      public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant {
+        return makeGrantDelegation(grantee, this.hostedZoneArn, options);
       }
     }
     return new Import(scope, id);
@@ -368,8 +368,8 @@ export class PublicHostedZone extends HostedZone implements IPublicHostedZone {
       public get hostedZoneArn(): string {
         return makeHostedZoneArn(this, this.hostedZoneId);
       }
-      public grantDelegation(grantee: iam.IGrantable): iam.Grant {
-        return makeGrantDelegation(grantee, this.hostedZoneArn);
+      public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant {
+        return makeGrantDelegation(grantee, this.hostedZoneArn, options);
       }
     }
     return new Import(scope, id);
@@ -513,8 +513,8 @@ export class PrivateHostedZone extends HostedZone implements IPrivateHostedZone
       public get hostedZoneArn(): string {
         return makeHostedZoneArn(this, this.hostedZoneId);
       }
-      public grantDelegation(grantee: iam.IGrantable): iam.Grant {
-        return makeGrantDelegation(grantee, this.hostedZoneArn);
+      public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant {
+        return makeGrantDelegation(grantee, this.hostedZoneArn, options);
       }
     }
     return new Import(scope, id);

packages/aws-cdk-lib/aws-route53/lib/hosted-zone.ts

@@ -1,5 +1,5 @@
 import { Construct } from 'constructs';
-import { IHostedZone } from './hosted-zone-ref';
+import { GrantDelegationOptions, IHostedZone } from './hosted-zone-ref';
 import * as iam from '../../aws-iam';
 import { Stack } from '../../core';
 
@@ -71,7 +71,7 @@ export function makeHostedZoneArn(construct: Construct, hostedZoneId: string): s
   });
 }
 
-export function makeGrantDelegation(grantee: iam.IGrantable, hostedZoneArn: string): iam.Grant {
+export function makeGrantDelegation(grantee: iam.IGrantable, hostedZoneArn: string, delegationOptions?: GrantDelegationOptions): iam.Grant {
   const g1 = iam.Grant.addToPrincipal({
     grantee,
     actions: ['route53:ChangeResourceRecordSets'],
@@ -80,6 +80,9 @@ export function makeGrantDelegation(grantee: iam.IGrantable, hostedZoneArn: stri
       'ForAllValues:StringEquals': {
         'route53:ChangeResourceRecordSetsRecordTypes': ['NS'],
         'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'],
+        ...(delegationOptions?.nameEquals ? {
+          'route53:ChangeResourceRecordSetsNormalizedRecordNames': delegationOptions.nameEquals,
+        } : {}),
       },
     },
   });

packages/aws-cdk-lib/aws-route53/lib/util.ts

@@ -1,3 +1,4 @@
+import * as iam from '../../aws-iam';
 import * as cdk from '../../core';
 import { HostedZone } from '../lib';
 import * as util from '../lib/util';
@@ -67,4 +68,45 @@ describe('util', () => {
     // THEN
     expect(qualified).toEqual('test.domain.com.');
   });
+
+  test('grant delegation without nameEquals returns ChangeResourceRecordSets statement without normalzed record names condition', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const grantee = new iam.User(stack, 'Grantee');
+
+    // WHEN
+    const actual = util.makeGrantDelegation(grantee, 'hosted-zone');
+
+    // THEN
+    const statement = actual.principalStatements.find(x => x.actions.includes('route53:ChangeResourceRecordSets'));
+    expect(statement).not.toBeUndefined();
+    expect(statement?.conditions).toEqual({
+      'ForAllValues:StringEquals': {
+        'route53:ChangeResourceRecordSetsRecordTypes': ['NS'],
+        'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'],
+      },
+    });
+  });
+
+  test('grant delegation with nameEquals returns ChangeResourceRecordSets statement with normalized record names condition', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const grantee = new iam.User(stack, 'Grantee');
+
+    // WHEN
+    const actual = util.makeGrantDelegation(grantee, 'hosted-zone', {
+      nameEquals: ['name-1', 'name-2'],
+    });
+
+    // THEN
+    const statement = actual.principalStatements.find(x => x.actions.includes('route53:ChangeResourceRecordSets'));
+    expect(statement).not.toBeUndefined();
+    expect(statement?.conditions).toEqual({
+      'ForAllValues:StringEquals': {
+        'route53:ChangeResourceRecordSetsRecordTypes': ['NS'],
+        'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'],
+        'route53:ChangeResourceRecordSetsNormalizedRecordNames': ['name-1', 'name-2'],
+      },
+    });
+  });
 });