diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/ZoneDelegationIamDefaultTestDeployAssert7D0B25D2.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/ZoneDelegationIamDefaultTestDeployAssert7D0B25D2.assets.json new file mode 100644 index 0000000000000..f7df177e1abad --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/ZoneDelegationIamDefaultTestDeployAssert7D0B25D2.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "ZoneDelegationIamDefaultTestDeployAssert7D0B25D2 Template", + "source": { + "path": "ZoneDelegationIamDefaultTestDeployAssert7D0B25D2.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-d8d86b35": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/ZoneDelegationIamDefaultTestDeployAssert7D0B25D2.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/ZoneDelegationIamDefaultTestDeployAssert7D0B25D2.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/ZoneDelegationIamDefaultTestDeployAssert7D0B25D2.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/ZoneDelegationStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/ZoneDelegationStack.assets.json new file mode 100644 index 0000000000000..59b8ad772887b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/ZoneDelegationStack.assets.json @@ -0,0 +1,34 @@ +{ + "version": "48.0.0", + "files": { + "2a1e3a5c062d73050b47001ce8443b5cce3002e2af38029f60659b7002ce4b51": { + "displayName": "ZoneDelegationStack/Custom::CrossAccountZoneDelegationCustomResourceProvider Code", + "source": { + "path": "asset.2a1e3a5c062d73050b47001ce8443b5cce3002e2af38029f60659b7002ce4b51", + "packaging": "zip" + }, + "destinations": { + "current_account-current_region-08de1a37": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "2a1e3a5c062d73050b47001ce8443b5cce3002e2af38029f60659b7002ce4b51.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "6d8a7dc9318b45fe9086898bd60f3453daea9b3a9693fb2d331e24f291396f7d": { + "displayName": "ZoneDelegationStack Template", + "source": { + "path": "ZoneDelegationStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-c2818182": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "6d8a7dc9318b45fe9086898bd60f3453daea9b3a9693fb2d331e24f291396f7d.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/ZoneDelegationStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/ZoneDelegationStack.template.json new file mode 100644 index 0000000000000..cf7168ed2e88a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/ZoneDelegationStack.template.json @@ -0,0 +1,378 @@ +{ + "Resources": { + "ParentZoneECA3B259": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "uniqueexample.com." + } + }, + "ZoneDelegationRoleD3AA833E": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Condition": { + "ArnLike": { + "aws:PrincipalArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/ZoneDelegationStack-*" + ] + ] + } + } + }, + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + }, + "RoleName": "ExampleDelegationRole" + } + }, + "ZoneDelegationRoleDefaultPolicy2187EBE7": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "route53:ChangeResourceRecordSets", + "Condition": { + "ForAllValues:StringEquals": { + "route53:ChangeResourceRecordSetsRecordTypes": [ + "NS" + ], + "route53:ChangeResourceRecordSetsActions": [ + "UPSERT", + "DELETE" + ], + "route53:ChangeResourceRecordSetsNormalizedRecordNames": [ + "sub1.uniqueexample.com", + "sub2_\\052\\044.uniqueexample.com" + ] + } + }, + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":route53:::hostedzone/", + { + "Ref": "ParentZoneECA3B259" + } + ] + ] + } + }, + { + "Action": "route53:ListHostedZonesByName", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "ZoneDelegationRoleDefaultPolicy2187EBE7", + "Roles": [ + { + "Ref": "ZoneDelegationRoleD3AA833E" + } + ] + } + }, + "SubZoneF7955E1A": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "sub1.uniqueexample.com." + } + }, + "SubZoneZoneDelegationcrossaccountzonedelegationhandlerrolePolicyZoneDelegationStackSubZoneZoneDelegationcrossaccountzonedelegationhandlerrole9EBB2EA476FBB2F1": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "ZoneDelegationRoleD3AA833E", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PolicyZoneDelegationStackSubZoneZoneDelegationcrossaccountzonedelegationhandlerrole9EBB2EA4", + "Roles": [ + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B", + "Arn" + ] + } + ] + } + ] + } + ] + } + ] + } + ] + }, + "DependsOn": [ + "ZoneDelegationRoleDefaultPolicy2187EBE7" + ] + }, + "SubZoneZoneDelegationCrossAccountZoneDelegationCustomResource688D1556": { + "Type": "Custom::CrossAccountZoneDelegation", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265", + "Arn" + ] + }, + "AssumeRoleArn": { + "Fn::GetAtt": [ + "ZoneDelegationRoleD3AA833E", + "Arn" + ] + }, + "ParentZoneName": "uniqueexample.com", + "DelegatedZoneName": "sub1.uniqueexample.com", + "DelegatedZoneNameServers": { + "Fn::GetAtt": [ + "SubZoneF7955E1A", + "NameServers" + ] + }, + "TTL": 172800 + }, + "DependsOn": [ + "SubZoneZoneDelegationcrossaccountzonedelegationhandlerrolePolicyZoneDelegationStackSubZoneZoneDelegationcrossaccountzonedelegationhandlerrole9EBB2EA476FBB2F1", + "ZoneDelegationRoleDefaultPolicy2187EBE7" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] + } + }, + "CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "2a1e3a5c062d73050b47001ce8443b5cce3002e2af38029f60659b7002ce4b51.zip" + }, + "Timeout": 900, + "MemorySize": 128, + "Handler": "__entrypoint__.handler", + "Role": { + "Fn::GetAtt": [ + "CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B", + "Arn" + ] + }, + "Runtime": "nodejs22.x" + }, + "DependsOn": [ + "CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B" + ] + }, + "SubZoneSpecialChars13B7A67B": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "sub2_*$.uniqueexample.com." + } + }, + "SubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerrolePolicyZoneDelegationStackSubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerroleD01CC77D6D37D8F2": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "ZoneDelegationRoleD3AA833E", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PolicyZoneDelegationStackSubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerroleD01CC77D", + "Roles": [ + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B", + "Arn" + ] + } + ] + } + ] + } + ] + } + ] + } + ] + }, + "DependsOn": [ + "ZoneDelegationRoleDefaultPolicy2187EBE7" + ] + }, + "SubZoneSpecialCharsZoneDelegationCrossAccountZoneDelegationCustomResourceC4CC9C77": { + "Type": "Custom::CrossAccountZoneDelegation", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265", + "Arn" + ] + }, + "AssumeRoleArn": { + "Fn::GetAtt": [ + "ZoneDelegationRoleD3AA833E", + "Arn" + ] + }, + "ParentZoneName": "uniqueexample.com", + "DelegatedZoneName": "sub2_*$.uniqueexample.com", + "DelegatedZoneNameServers": { + "Fn::GetAtt": [ + "SubZoneSpecialChars13B7A67B", + "NameServers" + ] + }, + "TTL": 172800 + }, + "DependsOn": [ + "SubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerrolePolicyZoneDelegationStackSubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerroleD01CC77D6D37D8F2", + "ZoneDelegationRoleDefaultPolicy2187EBE7" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/asset.2a1e3a5c062d73050b47001ce8443b5cce3002e2af38029f60659b7002ce4b51/__entrypoint__.js b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/asset.2a1e3a5c062d73050b47001ce8443b5cce3002e2af38029f60659b7002ce4b51/__entrypoint__.js new file mode 100644 index 0000000000000..ff3a517fba12d --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/asset.2a1e3a5c062d73050b47001ce8443b5cce3002e2af38029f60659b7002ce4b51/__entrypoint__.js @@ -0,0 +1,155 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.external = void 0; +exports.handler = handler; +exports.withRetries = withRetries; +const https = require("https"); +const url = require("url"); +// for unit tests +exports.external = { + sendHttpRequest: defaultSendHttpRequest, + log: defaultLog, + includeStackTraces: true, + userHandlerIndex: './index', +}; +const CREATE_FAILED_PHYSICAL_ID_MARKER = 'AWSCDK::CustomResourceProviderFramework::CREATE_FAILED'; +const MISSING_PHYSICAL_ID_MARKER = 'AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID'; +async function handler(event, context) { + const sanitizedEvent = { ...event, ResponseURL: '...' }; + exports.external.log(JSON.stringify(sanitizedEvent, undefined, 2)); + // ignore DELETE event when the physical resource ID is the marker that + // indicates that this DELETE is a subsequent DELETE to a failed CREATE + // operation. + if (event.RequestType === 'Delete' && event.PhysicalResourceId === CREATE_FAILED_PHYSICAL_ID_MARKER) { + exports.external.log('ignoring DELETE event caused by a failed CREATE event'); + await submitResponse('SUCCESS', event); + return; + } + try { + // invoke the user handler. this is intentionally inside the try-catch to + // ensure that if there is an error it's reported as a failure to + // cloudformation (otherwise cfn waits). + // eslint-disable-next-line @typescript-eslint/no-require-imports + const userHandler = require(exports.external.userHandlerIndex).handler; + const result = await userHandler(sanitizedEvent, context); + // validate user response and create the combined event + const responseEvent = renderResponse(event, result); + // submit to cfn as success + await submitResponse('SUCCESS', responseEvent); + } + catch (e) { + const resp = { + ...event, + Reason: exports.external.includeStackTraces ? e.stack : e.message, + }; + if (!resp.PhysicalResourceId) { + // special case: if CREATE fails, which usually implies, we usually don't + // have a physical resource id. in this case, the subsequent DELETE + // operation does not have any meaning, and will likely fail as well. to + // address this, we use a marker so the provider framework can simply + // ignore the subsequent DELETE. + if (event.RequestType === 'Create') { + exports.external.log('CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored'); + resp.PhysicalResourceId = CREATE_FAILED_PHYSICAL_ID_MARKER; + } + else { + // otherwise, if PhysicalResourceId is not specified, something is + // terribly wrong because all other events should have an ID. + exports.external.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(event)}`); + } + } + // this is an actual error, fail the activity altogether and exist. + await submitResponse('FAILED', resp); + } +} +function renderResponse(cfnRequest, handlerResponse = {}) { + // if physical ID is not returned, we have some defaults for you based + // on the request type. + const physicalResourceId = handlerResponse.PhysicalResourceId ?? cfnRequest.PhysicalResourceId ?? cfnRequest.RequestId; + // if we are in DELETE and physical ID was changed, it's an error. + if (cfnRequest.RequestType === 'Delete' && physicalResourceId !== cfnRequest.PhysicalResourceId) { + throw new Error(`DELETE: cannot change the physical resource ID from "${cfnRequest.PhysicalResourceId}" to "${handlerResponse.PhysicalResourceId}" during deletion`); + } + // merge request event and result event (result prevails). + return { + ...cfnRequest, + ...handlerResponse, + PhysicalResourceId: physicalResourceId, + }; +} +async function submitResponse(status, event) { + const json = { + Status: status, + Reason: event.Reason ?? status, + StackId: event.StackId, + RequestId: event.RequestId, + PhysicalResourceId: event.PhysicalResourceId || MISSING_PHYSICAL_ID_MARKER, + LogicalResourceId: event.LogicalResourceId, + NoEcho: event.NoEcho, + Data: event.Data, + }; + const parsedUrl = url.parse(event.ResponseURL); + const loggingSafeUrl = `${parsedUrl.protocol}//${parsedUrl.hostname}/${parsedUrl.pathname}?***`; + exports.external.log('submit response to cloudformation', loggingSafeUrl, json); + const responseBody = JSON.stringify(json); + const req = { + hostname: parsedUrl.hostname, + path: parsedUrl.path, + method: 'PUT', + headers: { + 'content-type': '', + 'content-length': Buffer.byteLength(responseBody, 'utf8'), + }, + }; + const retryOptions = { + attempts: 5, + sleep: 1000, + }; + await withRetries(retryOptions, exports.external.sendHttpRequest)(req, responseBody); +} +async function defaultSendHttpRequest(options, requestBody) { + return new Promise((resolve, reject) => { + try { + const request = https.request(options, (response) => { + response.resume(); // Consume the response but don't care about it + if (!response.statusCode || response.statusCode >= 400) { + reject(new Error(`Unsuccessful HTTP response: ${response.statusCode}`)); + } + else { + resolve(); + } + }); + request.on('error', reject); + request.write(requestBody); + request.end(); + } + catch (e) { + reject(e); + } + }); +} +function defaultLog(fmt, ...params) { + // eslint-disable-next-line no-console + console.log(fmt, ...params); +} +function withRetries(options, fn) { + return async (...xs) => { + let attempts = options.attempts; + let ms = options.sleep; + while (true) { + try { + return await fn(...xs); + } + catch (e) { + if (attempts-- <= 0) { + throw e; + } + await sleep(Math.floor(Math.random() * ms)); + ms *= 2; + } + } + }; +} +async function sleep(ms) { + return new Promise((ok) => setTimeout(ok, ms)); +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/asset.2a1e3a5c062d73050b47001ce8443b5cce3002e2af38029f60659b7002ce4b51/index.js b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/asset.2a1e3a5c062d73050b47001ce8443b5cce3002e2af38029f60659b7002ce4b51/index.js new file mode 100644 index 0000000000000..47cdff8a061b7 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/asset.2a1e3a5c062d73050b47001ce8443b5cce3002e2af38029f60659b7002ce4b51/index.js @@ -0,0 +1 @@ +"use strict";var c=Object.defineProperty;var Z=Object.getOwnPropertyDescriptor;var N=Object.getOwnPropertyNames;var P=Object.prototype.hasOwnProperty;var h=(o,e)=>{for(var n in e)c(o,n,{get:e[n],enumerable:!0})},E=(o,e,n,t)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of N(e))!P.call(o,s)&&s!==n&&c(o,s,{get:()=>e[s],enumerable:!(t=Z(e,s))||t.enumerable});return o};var A=o=>E(c({},"__esModule",{value:!0}),o);var T={};h(T,{handler:()=>w});module.exports=A(T);var m=require("@aws-sdk/client-route-53"),d=require("@aws-sdk/credential-providers");async function w(o){let e=o.ResourceProperties;switch(o.RequestType){case"Create":return r(e,!1);case"Update":return D(e,o.OldResourceProperties);case"Delete":return r(e,!0)}}async function D(o,e){e&&o.DelegatedZoneName!==e.DelegatedZoneName&&await r(e,!0),await r(o,!1)}async function r(o,e){let{AssumeRoleArn:n,ParentZoneId:t,ParentZoneName:s,DelegatedZoneName:a,DelegatedZoneNameServers:i,TTL:g,AssumeRoleRegion:R}=o;if(!t&&!s)throw Error("One of ParentZoneId or ParentZoneName must be specified");let l=new Date().getTime(),u=new m.Route53({credentials:(0,d.fromTemporaryCredentials)({clientConfig:{region:R??S(process.env.AWS_REGION??process.env.AWS_DEFAULT_REGION??"")},params:{RoleArn:n,RoleSessionName:`cross-account-zone-delegation-${l}`}})}),f=t??await v(s,u);await u.changeResourceRecordSets({HostedZoneId:f,ChangeBatch:{Changes:[{Action:e?"DELETE":"UPSERT",ResourceRecordSet:{Name:a,Type:"NS",TTL:g,ResourceRecords:i.map(p=>({Value:p}))}}]}})}async function v(o,e){let t=(await e.listHostedZonesByName({DNSName:o})).HostedZones?.filter(s=>{let a=s.Name===`${o}.`,i=s.Config?.PrivateZone!==!0;return a&&i})??[];if(t&&t.length!==1)throw Error(`Expected one hosted zone to match the given name but found ${t.length}`);return t[0].Id}function S(o){let e={cn:"cn-northwest-1","us-gov":"us-gov-west-1","us-iso":"us-iso-east-1","us-isob":"us-isob-east-1","eu-isoe":"eu-isoe-west-1","us-isof":"us-isof-south-1","eusc-de":"eusc-de-east-1"};for(let[n,t]of Object.entries(e))if(o.startsWith(`${n}-`))return t;return"us-east-1"}0&&(module.exports={handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/cdk.out new file mode 100644 index 0000000000000..523a9aac37cbf --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/integ.json new file mode 100644 index 0000000000000..b0574c8dc0f42 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "48.0.0", + "testCases": { + "ZoneDelegationIam/DefaultTest": { + "stacks": [ + "ZoneDelegationStack" + ], + "assertionStack": "ZoneDelegationIam/DefaultTest/DeployAssert", + "assertionStackName": "ZoneDelegationIamDefaultTestDeployAssert7D0B25D2" + } + }, + "minimumCliVersion": "2.1027.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/manifest.json new file mode 100644 index 0000000000000..f23045381ea8c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/manifest.json @@ -0,0 +1,969 @@ +{ + "version": "48.0.0", + "artifacts": { + "ZoneDelegationStack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "ZoneDelegationStack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "ZoneDelegationStack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "ZoneDelegationStack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/6d8a7dc9318b45fe9086898bd60f3453daea9b3a9693fb2d331e24f291396f7d.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "ZoneDelegationStack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "ZoneDelegationStack.assets" + ], + "metadata": { + "/ZoneDelegationStack/ParentZone": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "zoneName": "*" + } + }, + { + "type": "aws:cdk:analytics:construct", + "data": { + "zoneName": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": {} + } + ], + "/ZoneDelegationStack/ParentZone/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ParentZoneECA3B259" + } + ], + "/ZoneDelegationStack/ZoneDelegationRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "roleName": "*", + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + } + ], + "/ZoneDelegationStack/ZoneDelegationRole/ImportZoneDelegationRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/ZoneDelegationStack/ZoneDelegationRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ZoneDelegationRoleD3AA833E" + } + ], + "/ZoneDelegationStack/ZoneDelegationRole/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], + "/ZoneDelegationStack/ZoneDelegationRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ZoneDelegationRoleDefaultPolicy2187EBE7" + } + ], + "/ZoneDelegationStack/SubZone": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "zoneName": "*" + } + }, + { + "type": "aws:cdk:analytics:construct", + "data": { + "zoneName": "*" + } + } + ], + "/ZoneDelegationStack/SubZone/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "SubZoneF7955E1A" + } + ], + "/ZoneDelegationStack/SubZone/ZoneDelegation/cross-account-zone-delegation-handler-role": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/ZoneDelegationStack/SubZone/ZoneDelegation/cross-account-zone-delegation-handler-role/PolicyZoneDelegationStackSubZoneZoneDelegationcrossaccountzonedelegationhandlerrole9EBB2EA4": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "policyName": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], + "/ZoneDelegationStack/SubZone/ZoneDelegation/cross-account-zone-delegation-handler-role/PolicyZoneDelegationStackSubZoneZoneDelegationcrossaccountzonedelegationhandlerrole9EBB2EA4/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "SubZoneZoneDelegationcrossaccountzonedelegationhandlerrolePolicyZoneDelegationStackSubZoneZoneDelegationcrossaccountzonedelegationhandlerrole9EBB2EA476FBB2F1" + } + ], + "/ZoneDelegationStack/SubZone/ZoneDelegation/CrossAccountZoneDelegationCustomResource": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/ZoneDelegationStack/SubZone/ZoneDelegation/CrossAccountZoneDelegationCustomResource/Default": [ + { + "type": "aws:cdk:logicalId", + "data": "SubZoneZoneDelegationCrossAccountZoneDelegationCustomResource688D1556" + } + ], + "/ZoneDelegationStack/Custom::CrossAccountZoneDelegationCustomResourceProvider": [ + { + "type": "aws:cdk:is-custom-resource-handler-customResourceProvider", + "data": true + } + ], + "/ZoneDelegationStack/Custom::CrossAccountZoneDelegationCustomResourceProvider/Role": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B" + } + ], + "/ZoneDelegationStack/Custom::CrossAccountZoneDelegationCustomResourceProvider/Handler": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265" + } + ], + "/ZoneDelegationStack/SubZoneSpecialChars": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "zoneName": "*" + } + }, + { + "type": "aws:cdk:analytics:construct", + "data": { + "zoneName": "*" + } + } + ], + "/ZoneDelegationStack/SubZoneSpecialChars/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "SubZoneSpecialChars13B7A67B" + } + ], + "/ZoneDelegationStack/SubZoneSpecialChars/ZoneDelegation/cross-account-zone-delegation-handler-role": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/ZoneDelegationStack/SubZoneSpecialChars/ZoneDelegation/cross-account-zone-delegation-handler-role/PolicyZoneDelegationStackSubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerroleD01CC77D": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "policyName": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], + "/ZoneDelegationStack/SubZoneSpecialChars/ZoneDelegation/cross-account-zone-delegation-handler-role/PolicyZoneDelegationStackSubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerroleD01CC77D/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "SubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerrolePolicyZoneDelegationStackSubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerroleD01CC77D6D37D8F2" + } + ], + "/ZoneDelegationStack/SubZoneSpecialChars/ZoneDelegation/CrossAccountZoneDelegationCustomResource": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/ZoneDelegationStack/SubZoneSpecialChars/ZoneDelegation/CrossAccountZoneDelegationCustomResource/Default": [ + { + "type": "aws:cdk:logicalId", + "data": "SubZoneSpecialCharsZoneDelegationCrossAccountZoneDelegationCustomResourceC4CC9C77" + } + ], + "/ZoneDelegationStack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/ZoneDelegationStack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ], + "SubZone1D8A18689": [ + { + "type": "aws:cdk:logicalId", + "data": "SubZone1D8A18689", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } + ], + "SubZone1ZoneDelegationcrossaccountzonedelegationhandlerrolePolicyZoneDelegationStackSubZone1ZoneDelegationcrossaccountzonedelegationhandlerrole3B7BF93FFA2749E6": [ + { + "type": "aws:cdk:logicalId", + "data": "SubZone1ZoneDelegationcrossaccountzonedelegationhandlerrolePolicyZoneDelegationStackSubZone1ZoneDelegationcrossaccountzonedelegationhandlerrole3B7BF93FFA2749E6", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } + ], + "SubZone1ZoneDelegationCrossAccountZoneDelegationCustomResource59C2B413": [ + { + "type": "aws:cdk:logicalId", + "data": "SubZone1ZoneDelegationCrossAccountZoneDelegationCustomResource59C2B413", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } + ], + "SubZone25FFB0233": [ + { + "type": "aws:cdk:logicalId", + "data": "SubZone25FFB0233", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } + ], + "SubZone2ZoneDelegationcrossaccountzonedelegationhandlerrolePolicyZoneDelegationStackSubZone2ZoneDelegationcrossaccountzonedelegationhandlerrole36D1478DA98EDD29": [ + { + "type": "aws:cdk:logicalId", + "data": "SubZone2ZoneDelegationcrossaccountzonedelegationhandlerrolePolicyZoneDelegationStackSubZone2ZoneDelegationcrossaccountzonedelegationhandlerrole36D1478DA98EDD29", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } + ], + "SubZone2ZoneDelegationCrossAccountZoneDelegationCustomResourceEC5E24F9": [ + { + "type": "aws:cdk:logicalId", + "data": "SubZone2ZoneDelegationCrossAccountZoneDelegationCustomResourceEC5E24F9", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } + ] + }, + "displayName": "ZoneDelegationStack" + }, + "ZoneDelegationIamDefaultTestDeployAssert7D0B25D2.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "ZoneDelegationIamDefaultTestDeployAssert7D0B25D2.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "ZoneDelegationIamDefaultTestDeployAssert7D0B25D2": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "ZoneDelegationIamDefaultTestDeployAssert7D0B25D2.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "ZoneDelegationIamDefaultTestDeployAssert7D0B25D2.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "ZoneDelegationIamDefaultTestDeployAssert7D0B25D2.assets" + ], + "metadata": { + "/ZoneDelegationIam/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/ZoneDelegationIam/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "ZoneDelegationIam/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } + } + }, + "minimumCliVersion": "2.1027.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/tree.json new file mode 100644 index 0000000000000..23f1e7d19f062 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.js.snapshot/tree.json @@ -0,0 +1 @@ +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"ZoneDelegationStack":{"id":"ZoneDelegationStack","path":"ZoneDelegationStack","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"ParentZone":{"id":"ParentZone","path":"ZoneDelegationStack/ParentZone","constructInfo":{"fqn":"aws-cdk-lib.aws_route53.PublicHostedZone","version":"0.0.0","metadata":[{"zoneName":"*"},{"zoneName":"*"},{}]},"children":{"Resource":{"id":"Resource","path":"ZoneDelegationStack/ParentZone/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_route53.CfnHostedZone","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Route53::HostedZone","aws:cdk:cloudformation:props":{"name":"uniqueexample.com."}}}}},"ZoneDelegationRole":{"id":"ZoneDelegationRole","path":"ZoneDelegationStack/ZoneDelegationRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"roleName":"*","assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]},{"addToPrincipalPolicy":[{}]}]},"children":{"ImportZoneDelegationRole":{"id":"ImportZoneDelegationRole","path":"ZoneDelegationStack/ZoneDelegationRole/ImportZoneDelegationRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"ZoneDelegationStack/ZoneDelegationRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Condition":{"ArnLike":{"aws:PrincipalArn":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::",{"Ref":"AWS::AccountId"},":role/ZoneDelegationStack-*"]]}}},"Effect":"Allow","Principal":{"AWS":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::",{"Ref":"AWS::AccountId"},":root"]]}}}],"Version":"2012-10-17"},"roleName":"ExampleDelegationRole"}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"ZoneDelegationStack/ZoneDelegationRole/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"ZoneDelegationStack/ZoneDelegationRole/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"route53:ChangeResourceRecordSets","Condition":{"ForAllValues:StringEquals":{"route53:ChangeResourceRecordSetsRecordTypes":["NS"],"route53:ChangeResourceRecordSetsActions":["UPSERT","DELETE"],"route53:ChangeResourceRecordSetsNormalizedRecordNames":["sub1.uniqueexample.com","sub2_\\052\\044.uniqueexample.com"]}},"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":route53:::hostedzone/",{"Ref":"ParentZoneECA3B259"}]]}},{"Action":"route53:ListHostedZonesByName","Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"ZoneDelegationRoleDefaultPolicy2187EBE7","roles":[{"Ref":"ZoneDelegationRoleD3AA833E"}]}}}}}}},"SubZone":{"id":"SubZone","path":"ZoneDelegationStack/SubZone","constructInfo":{"fqn":"aws-cdk-lib.aws_route53.PublicHostedZone","version":"0.0.0","metadata":[{"zoneName":"*"},{"zoneName":"*"}]},"children":{"Resource":{"id":"Resource","path":"ZoneDelegationStack/SubZone/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_route53.CfnHostedZone","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Route53::HostedZone","aws:cdk:cloudformation:props":{"name":"sub1.uniqueexample.com."}}},"ZoneDelegation":{"id":"ZoneDelegation","path":"ZoneDelegationStack/SubZone/ZoneDelegation","constructInfo":{"fqn":"aws-cdk-lib.aws_route53.CrossAccountZoneDelegationRecord","version":"0.0.0"},"children":{"cross-account-zone-delegation-handler-role":{"id":"cross-account-zone-delegation-handler-role","path":"ZoneDelegationStack/SubZone/ZoneDelegation/cross-account-zone-delegation-handler-role","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*","*","*","*"]},"children":{"PolicyZoneDelegationStackSubZoneZoneDelegationcrossaccountzonedelegationhandlerrole9EBB2EA4":{"id":"PolicyZoneDelegationStackSubZoneZoneDelegationcrossaccountzonedelegationhandlerrole9EBB2EA4","path":"ZoneDelegationStack/SubZone/ZoneDelegation/cross-account-zone-delegation-handler-role/PolicyZoneDelegationStackSubZoneZoneDelegationcrossaccountzonedelegationhandlerrole9EBB2EA4","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"policyName":"*"},{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"ZoneDelegationStack/SubZone/ZoneDelegation/cross-account-zone-delegation-handler-role/PolicyZoneDelegationStackSubZoneZoneDelegationcrossaccountzonedelegationhandlerrole9EBB2EA4/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Resource":{"Fn::GetAtt":["ZoneDelegationRoleD3AA833E","Arn"]}}],"Version":"2012-10-17"},"policyName":"PolicyZoneDelegationStackSubZoneZoneDelegationcrossaccountzonedelegationhandlerrole9EBB2EA4","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::GetAtt":["CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B","Arn"]}]}]}]}]}]}}}}}}},"CrossAccountZoneDelegationCustomResource":{"id":"CrossAccountZoneDelegationCustomResource","path":"ZoneDelegationStack/SubZone/ZoneDelegation/CrossAccountZoneDelegationCustomResource","constructInfo":{"fqn":"aws-cdk-lib.CustomResource","version":"0.0.0","metadata":["*"]},"children":{"Default":{"id":"Default","path":"ZoneDelegationStack/SubZone/ZoneDelegation/CrossAccountZoneDelegationCustomResource/Default","constructInfo":{"fqn":"aws-cdk-lib.CfnResource","version":"0.0.0"}}}}}}}},"Custom::CrossAccountZoneDelegationCustomResourceProvider":{"id":"Custom::CrossAccountZoneDelegationCustomResourceProvider","path":"ZoneDelegationStack/Custom::CrossAccountZoneDelegationCustomResourceProvider","constructInfo":{"fqn":"aws-cdk-lib.CustomResourceProviderBase","version":"0.0.0"},"children":{"Staging":{"id":"Staging","path":"ZoneDelegationStack/Custom::CrossAccountZoneDelegationCustomResourceProvider/Staging","constructInfo":{"fqn":"aws-cdk-lib.AssetStaging","version":"0.0.0"}},"Role":{"id":"Role","path":"ZoneDelegationStack/Custom::CrossAccountZoneDelegationCustomResourceProvider/Role","constructInfo":{"fqn":"aws-cdk-lib.CfnResource","version":"0.0.0"}},"Handler":{"id":"Handler","path":"ZoneDelegationStack/Custom::CrossAccountZoneDelegationCustomResourceProvider/Handler","constructInfo":{"fqn":"aws-cdk-lib.CfnResource","version":"0.0.0"}}}},"SubZoneSpecialChars":{"id":"SubZoneSpecialChars","path":"ZoneDelegationStack/SubZoneSpecialChars","constructInfo":{"fqn":"aws-cdk-lib.aws_route53.PublicHostedZone","version":"0.0.0","metadata":[{"zoneName":"*"},{"zoneName":"*"}]},"children":{"Resource":{"id":"Resource","path":"ZoneDelegationStack/SubZoneSpecialChars/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_route53.CfnHostedZone","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Route53::HostedZone","aws:cdk:cloudformation:props":{"name":"sub2_*$.uniqueexample.com."}}},"ZoneDelegation":{"id":"ZoneDelegation","path":"ZoneDelegationStack/SubZoneSpecialChars/ZoneDelegation","constructInfo":{"fqn":"aws-cdk-lib.aws_route53.CrossAccountZoneDelegationRecord","version":"0.0.0"},"children":{"cross-account-zone-delegation-handler-role":{"id":"cross-account-zone-delegation-handler-role","path":"ZoneDelegationStack/SubZoneSpecialChars/ZoneDelegation/cross-account-zone-delegation-handler-role","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*","*","*","*"]},"children":{"PolicyZoneDelegationStackSubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerroleD01CC77D":{"id":"PolicyZoneDelegationStackSubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerroleD01CC77D","path":"ZoneDelegationStack/SubZoneSpecialChars/ZoneDelegation/cross-account-zone-delegation-handler-role/PolicyZoneDelegationStackSubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerroleD01CC77D","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"policyName":"*"},{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"ZoneDelegationStack/SubZoneSpecialChars/ZoneDelegation/cross-account-zone-delegation-handler-role/PolicyZoneDelegationStackSubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerroleD01CC77D/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Resource":{"Fn::GetAtt":["ZoneDelegationRoleD3AA833E","Arn"]}}],"Version":"2012-10-17"},"policyName":"PolicyZoneDelegationStackSubZoneSpecialCharsZoneDelegationcrossaccountzonedelegationhandlerroleD01CC77D","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::GetAtt":["CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B","Arn"]}]}]}]}]}]}}}}}}},"CrossAccountZoneDelegationCustomResource":{"id":"CrossAccountZoneDelegationCustomResource","path":"ZoneDelegationStack/SubZoneSpecialChars/ZoneDelegation/CrossAccountZoneDelegationCustomResource","constructInfo":{"fqn":"aws-cdk-lib.CustomResource","version":"0.0.0","metadata":["*"]},"children":{"Default":{"id":"Default","path":"ZoneDelegationStack/SubZoneSpecialChars/ZoneDelegation/CrossAccountZoneDelegationCustomResource/Default","constructInfo":{"fqn":"aws-cdk-lib.CfnResource","version":"0.0.0"}}}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"ZoneDelegationStack/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"ZoneDelegationStack/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"ZoneDelegationIam":{"id":"ZoneDelegationIam","path":"ZoneDelegationIam","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"ZoneDelegationIam/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"ZoneDelegationIam/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"ZoneDelegationIam/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"ZoneDelegationIam/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"ZoneDelegationIam/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.ts new file mode 100644 index 0000000000000..228fea0c46c70 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.zone-delegation-iam-stack.ts @@ -0,0 +1,66 @@ +import * as iam from 'aws-cdk-lib/aws-iam'; +import * as cdk from 'aws-cdk-lib'; +import * as route53 from 'aws-cdk-lib/aws-route53'; +import { Construct } from 'constructs'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; + +class ZoneDelegationIamStack extends cdk.Stack { + constructor(scope: Construct, id: string) { + super(scope, id); + + const parentZone = new route53.PublicHostedZone(this, 'ParentZone', { + zoneName: 'uniqueexample.com', + }); + + const trusteeRoleArns = this.formatArn({ + service: 'iam', + region: '', + resource: 'role', + resourceName: 'ZoneDelegationStack-*', + }); + + const delegationRole = new iam.Role(this, 'ZoneDelegationRole', { + roleName: 'ExampleDelegationRole', + assumedBy: new iam.AccountRootPrincipal().withConditions({ + ArnLike: { + 'aws:PrincipalArn': trusteeRoleArns, + }, + }), + }); + + const delegationGrant = parentZone.grantDelegation(delegationRole, { + delegatedZoneNames: [ + 'sub1.uniqueexample.com', + 'sub2_*$.uniqueexample.com', // should result in octal codes in iam condition + ], + }); + + const subZone = new route53.PublicHostedZone(this, 'SubZone', { + zoneName: 'sub1.uniqueexample.com', + }); + + new route53.CrossAccountZoneDelegationRecord(subZone, 'ZoneDelegation', { + delegatedZone: subZone, + parentHostedZoneName: parentZone.zoneName, + delegationRole: delegationRole, + }).node.addDependency(delegationGrant); + + const subZoneWithSpecialChars = new route53.PublicHostedZone(this, 'SubZoneSpecialChars', { + zoneName: 'sub2_*$.uniqueexample.com', + }); + + new route53.CrossAccountZoneDelegationRecord(subZoneWithSpecialChars, 'ZoneDelegation', { + delegatedZone: subZoneWithSpecialChars, + parentHostedZoneName: parentZone.zoneName, + delegationRole: delegationRole, + }).node.addDependency(delegationGrant); + } +} + +const app = new cdk.App(); + +const stack = new ZoneDelegationIamStack(app, 'ZoneDelegationStack'); + +new IntegTest(app, 'ZoneDelegationIam', { + testCases: [stack], +}); diff --git a/packages/aws-cdk-lib/aws-route53/README.md b/packages/aws-cdk-lib/aws-route53/README.md index 49681bd5d7888..43b3eaaaca41f 100644 --- a/packages/aws-cdk-lib/aws-route53/README.md +++ b/packages/aws-cdk-lib/aws-route53/README.md @@ -367,40 +367,40 @@ const crossAccountRole = new iam.Role(this, 'CrossAccountRole', { roleName: 'MyDelegationRole', // The other account assumedBy: new iam.AccountPrincipal('12345678901'), - // You can scope down this role policy to be least privileged. - // If you want the other account to be able to manage specific records, - // you can scope down by resource and/or normalized record names - inlinePolicies: { - crossAccountPolicy: new iam.PolicyDocument({ - statements: [ - new iam.PolicyStatement({ - sid: 'ListHostedZonesByName', - effect: iam.Effect.ALLOW, - actions: ['route53:ListHostedZonesByName'], - resources: ['*'], - }), - new iam.PolicyStatement({ - sid: 'GetHostedZoneAndChangeResourceRecordSets', - effect: iam.Effect.ALLOW, - actions: ['route53:GetHostedZone', 'route53:ChangeResourceRecordSets'], - // This example assumes the RecordSet subdomain.somexample.com - // is contained in the HostedZone - resources: ['arn:aws:route53:::hostedzone/HZID00000000000000000'], - conditions: { - 'ForAllValues:StringLike': { - 'route53:ChangeResourceRecordSetsNormalizedRecordNames': [ - 'subdomain.someexample.com', - ], - }, - }, - }), - ], - }), - }, }); parentZone.grantDelegation(crossAccountRole); ``` +To restrict the records that can be created with the delegation IAM role, use the optional `delegatedZoneNames` property in the delegation options, +which enforces the `route53:ChangeResourceRecordSetsNormalizedRecordNames` condition key for record names that match those hosted zone names. +The `delegatedZoneNames` list may only consist of hosted zones names that are subzones of the parent hosted zone. + +If the delegated zone name contains an unresolved token, +it must resolve to a zone name that satisfies the requirements according to the documentation: +https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrset_conditionkeys_normalization + +> All letters must be lowercase. +> The DNS name must be without the trailing dot. +> Characters other than a–z, 0–9, - (hyphen), _ (underscore), and . (period, as a delimiter between labels) must use escape codes in the format \three-digit octal code. For example, \052 is the octal code for character *. + +This feature allows you to better follow the minimum permissions privilege principle: + +```ts +const parentZone = new route53.PublicHostedZone(this, 'HostedZone', { + zoneName: 'someexample.com', +}); + +declare const betaCrossAccountRole: iam.Role; +parentZone.grantDelegation(betaCrossAccountRole, { + delegatedZoneNames: ['beta.someexample.com'], +}); + +declare const prodCrossAccountRole: iam.Role; +parentZone.grantDelegation(prodCrossAccountRole, { + delegatedZoneNames: ['prod.someexample.com'], +}); +``` + In the account containing the child zone to be delegated: ```ts @@ -540,7 +540,8 @@ const zone = route53.HostedZone.fromHostedZoneAttributes(this, 'MyZone', { ``` Alternatively, use the `HostedZone.fromHostedZoneId` to import hosted zones if -you know the ID and the retrieval for the `zoneName` is undesirable. +you know the ID and the retrieval for the `zoneName` is undesirable. +Note that any records created with a hosted zone obtained this way must have their name be fully qualified ```ts const zone = route53.HostedZone.fromHostedZoneId(this, 'MyZone', 'ZOJJZC49E0EPZ'); diff --git a/packages/aws-cdk-lib/aws-route53/lib/hosted-zone-ref.ts b/packages/aws-cdk-lib/aws-route53/lib/hosted-zone-ref.ts index a19acdc65ccc5..06894ae2e8ac8 100644 --- a/packages/aws-cdk-lib/aws-route53/lib/hosted-zone-ref.ts +++ b/packages/aws-cdk-lib/aws-route53/lib/hosted-zone-ref.ts @@ -37,7 +37,26 @@ export interface IHostedZone extends IResource { /** * Grant permissions to add delegation records to this zone */ - grantDelegation(grantee: iam.IGrantable): iam.Grant; + grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant; +} + +/** + * Options for the delegation permissions granted + */ +export interface GrantDelegationOptions { + /** + * List of hosted zone names to allow delegation to in the grant permissions. + * If the delegated zone name contains an unresolved token, + * it must resolve to a zone name that satisfies the requirements according to the documentation: + * https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrset_conditionkeys_normalization + * + * > All letters must be lowercase. + * > The DNS name must be without the trailing dot. + * > Characters other than a–z, 0–9, - (hyphen), _ (underscore), and . (period, as a delimiter between labels) must use escape codes in the format \three-digit octal code. For example, \052 is the octal code for character *. + * + * @default the grant allows delegation to any hosted zone + */ + readonly delegatedZoneNames?: string[]; } /** diff --git a/packages/aws-cdk-lib/aws-route53/lib/hosted-zone.ts b/packages/aws-cdk-lib/aws-route53/lib/hosted-zone.ts index 5e1b31b9eabed..67b1c1d82e24a 100644 --- a/packages/aws-cdk-lib/aws-route53/lib/hosted-zone.ts +++ b/packages/aws-cdk-lib/aws-route53/lib/hosted-zone.ts @@ -1,6 +1,6 @@ import { Construct } from 'constructs'; import { HostedZoneProviderProps } from './hosted-zone-provider'; -import { HostedZoneAttributes, IHostedZone, PublicHostedZoneAttributes, PrivateHostedZoneAttributes } from './hosted-zone-ref'; +import { GrantDelegationOptions, HostedZoneAttributes, IHostedZone, PublicHostedZoneAttributes, PrivateHostedZoneAttributes } from './hosted-zone-ref'; import { IKeySigningKey, KeySigningKey } from './key-signing-key'; import { CaaAmazonRecord, ZoneDelegationRecord } from './record-set'; import { CfnHostedZone, CfnDNSSEC, CfnKeySigningKey } from './route53.generated'; @@ -117,8 +117,8 @@ export class HostedZone extends Resource implements IHostedZone { public get hostedZoneArn(): string { return makeHostedZoneArn(this, this.hostedZoneId); } - public grantDelegation(grantee: iam.IGrantable): iam.Grant { - return makeGrantDelegation(grantee, this.hostedZoneArn); + public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant { + return makeGrantDelegation(grantee, this, options); } } @@ -141,8 +141,8 @@ export class HostedZone extends Resource implements IHostedZone { public get hostedZoneArn(): string { return makeHostedZoneArn(this, this.hostedZoneId); } - public grantDelegation(grantee: iam.IGrantable): iam.Grant { - return makeGrantDelegation(grantee, this.hostedZoneArn); + public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant { + return makeGrantDelegation(grantee, this, options); } } @@ -241,8 +241,8 @@ export class HostedZone extends Resource implements IHostedZone { } @MethodMetadata() - public grantDelegation(grantee: iam.IGrantable): iam.Grant { - return makeGrantDelegation(grantee, this.hostedZoneArn); + public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant { + return makeGrantDelegation(grantee, this, options); } /** @@ -345,8 +345,8 @@ export class PublicHostedZone extends HostedZone implements IPublicHostedZone { public get hostedZoneArn(): string { return makeHostedZoneArn(this, this.hostedZoneId); } - public grantDelegation(grantee: iam.IGrantable): iam.Grant { - return makeGrantDelegation(grantee, this.hostedZoneArn); + public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant { + return makeGrantDelegation(grantee, this, options); } } return new Import(scope, id); @@ -368,8 +368,8 @@ export class PublicHostedZone extends HostedZone implements IPublicHostedZone { public get hostedZoneArn(): string { return makeHostedZoneArn(this, this.hostedZoneId); } - public grantDelegation(grantee: iam.IGrantable): iam.Grant { - return makeGrantDelegation(grantee, this.hostedZoneArn); + public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant { + return makeGrantDelegation(grantee, this, options); } } return new Import(scope, id); @@ -513,8 +513,8 @@ export class PrivateHostedZone extends HostedZone implements IPrivateHostedZone public get hostedZoneArn(): string { return makeHostedZoneArn(this, this.hostedZoneId); } - public grantDelegation(grantee: iam.IGrantable): iam.Grant { - return makeGrantDelegation(grantee, this.hostedZoneArn); + public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant { + return makeGrantDelegation(grantee, this, options); } } return new Import(scope, id); @@ -536,8 +536,8 @@ export class PrivateHostedZone extends HostedZone implements IPrivateHostedZone public get hostedZoneArn(): string { return makeHostedZoneArn(this, this.hostedZoneId); } - public grantDelegation(grantee: iam.IGrantable): iam.Grant { - return makeGrantDelegation(grantee, this.hostedZoneArn); + public grantDelegation(grantee: iam.IGrantable, options?: GrantDelegationOptions): iam.Grant { + return makeGrantDelegation(grantee, this, options); } } return new Import(scope, id); diff --git a/packages/aws-cdk-lib/aws-route53/lib/util.ts b/packages/aws-cdk-lib/aws-route53/lib/util.ts index 80412c38a57de..0363100576f9d 100644 --- a/packages/aws-cdk-lib/aws-route53/lib/util.ts +++ b/packages/aws-cdk-lib/aws-route53/lib/util.ts @@ -1,7 +1,7 @@ import { Construct } from 'constructs'; -import { IHostedZone } from './hosted-zone-ref'; +import { GrantDelegationOptions, IHostedZone } from './hosted-zone-ref'; import * as iam from '../../aws-iam'; -import { Stack } from '../../core'; +import { Stack, Token, UnscopedValidationError } from '../../core'; /** * Validates a zone name is valid by Route53 specific naming rules, @@ -49,9 +49,7 @@ export function determineFullyQualifiedDomainName(providedName: string, hostedZo return providedName; } - const hostedZoneName = hostedZone.zoneName.endsWith('.') - ? hostedZone.zoneName.substring(0, hostedZone.zoneName.length - 1) - : hostedZone.zoneName; + const hostedZoneName = stripTrailingDot(hostedZone.zoneName); const suffix = `.${hostedZoneName}`; if (providedName.endsWith(suffix) || providedName === hostedZoneName) { @@ -71,15 +69,90 @@ export function makeHostedZoneArn(construct: Construct, hostedZoneId: string): s }); } -export function makeGrantDelegation(grantee: iam.IGrantable, hostedZoneArn: string): iam.Grant { +function stripTrailingDot(zoneName: string) { + return zoneName.endsWith('.') ? zoneName.substring(0, zoneName.length - 1) : zoneName; +} + +const octalConversionIgnoreRegex = /[a-z0-9-_\\.]/; + +// Required to octal encode characters other than a–z, 0–9, - (hyphen), _ (underscore), and . (period) for IAM conditions +// https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrset_conditionkeys_normalization +function octalEncodeDelegatedZoneName(delegatedZoneName: string): string { + if (Token.isUnresolved(delegatedZoneName)) { + return delegatedZoneName; + } + + return delegatedZoneName.split('') + .map(c => { + if (octalConversionIgnoreRegex.test(c)) { + return c; + } + return '\\' + c.charCodeAt(0).toString(8).padStart(3, '0'); + }).join(''); +} + +function validateDelegatedZoneName(parentZoneName: string, delegatedZoneName: string) { + if (delegatedZoneName.endsWith('.')) { + throw new UnscopedValidationError( + `Error while validating delegate zone name '${delegatedZoneName}': delegated zone name cannot have a trailing period`, + ); + } + + if (Token.isUnresolved(delegatedZoneName)) { + return; + } + + try { + validateZoneName(delegatedZoneName); + } catch (error) { + if (error instanceof ValidationError) { + throw new UnscopedValidationError( + `Error while validating delegated zone name '${delegatedZoneName}': ${error.message}`, + ); + } + } + + if (delegatedZoneName.toLowerCase() !== delegatedZoneName) { + throw new UnscopedValidationError( + `Error while validating delegate zone name '${delegatedZoneName}': delegated zone name cannot contain uppercase characters`, + ); + } + + if (Token.isUnresolved(parentZoneName)) { + return; + } + + const parentZoneNameNoTrailingDot = stripTrailingDot(parentZoneName); + + if (!delegatedZoneName.endsWith(parentZoneNameNoTrailingDot)) { + throw new UnscopedValidationError( + `Error while validating delegate zone name '${delegatedZoneName}': delegated zone name must be suffixed by parent zone name`, + ); + } + + if (delegatedZoneName === parentZoneNameNoTrailingDot) { + throw new UnscopedValidationError( + `Error while validating delegate zone name '${delegatedZoneName}': delegated zone name cannot be the same as the parent zone name`, + ); + } +} + +export function makeGrantDelegation(grantee: iam.IGrantable, hostedZone: IHostedZone, delegationOptions?: GrantDelegationOptions): iam.Grant { + const delegatedZoneNames = delegationOptions?.delegatedZoneNames?.map(delegatedZoneName => { + validateDelegatedZoneName(hostedZone.zoneName, delegatedZoneName); + return octalEncodeDelegatedZoneName(delegatedZoneName); + }); const g1 = iam.Grant.addToPrincipal({ grantee, actions: ['route53:ChangeResourceRecordSets'], - resourceArns: [hostedZoneArn], + resourceArns: [hostedZone.hostedZoneArn], conditions: { 'ForAllValues:StringEquals': { 'route53:ChangeResourceRecordSetsRecordTypes': ['NS'], 'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'], + ...(delegationOptions?.delegatedZoneNames ? { + 'route53:ChangeResourceRecordSetsNormalizedRecordNames': delegatedZoneNames, + } : {}), }, }, }); diff --git a/packages/aws-cdk-lib/aws-route53/test/util.test.ts b/packages/aws-cdk-lib/aws-route53/test/util.test.ts index e6e248ef2ba70..655d461f48052 100644 --- a/packages/aws-cdk-lib/aws-route53/test/util.test.ts +++ b/packages/aws-cdk-lib/aws-route53/test/util.test.ts @@ -1,5 +1,6 @@ +import * as iam from '../../aws-iam'; import * as cdk from '../../core'; -import { HostedZone } from '../lib'; +import { GrantDelegationOptions, HostedZone } from '../lib'; import * as util from '../lib/util'; describe('util', () => { @@ -67,4 +68,168 @@ describe('util', () => { // THEN expect(qualified).toEqual('test.domain.com.'); }); + + test('grantDelegation without delegatedZoneNames returns ChangeResourceRecordSets statement without normalized record names condition', () => { + // GIVEN + const stack = new cdk.Stack(); + const grantee = new iam.User(stack, 'Grantee'); + const hostedZone = new HostedZone(stack, 'zone', { + zoneName: 'example.com', + }); + + // WHEN + const actual = util.makeGrantDelegation(grantee, hostedZone); + + // THEN + const statement = actual.principalStatements.find(x => x.actions.includes('route53:ChangeResourceRecordSets')); + expect(statement).not.toBeUndefined(); + expect(statement?.conditions).toEqual({ + 'ForAllValues:StringEquals': { + 'route53:ChangeResourceRecordSetsRecordTypes': ['NS'], + 'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'], + }, + }); + }); + + test('grantDelegation with delegatedZoneNames returns ChangeResourceRecordSets statement with normalized record names condition', () => { + // GIVEN + const stack = new cdk.Stack(); + const grantee = new iam.User(stack, 'Grantee'); + const hostedZone = new HostedZone(stack, 'zone', { + zoneName: 'example.com.', + }); + + // WHEN + const actual = util.makeGrantDelegation(grantee, hostedZone, { + delegatedZoneNames: ['gamma.example.com', 'beta.example.com'], + }); + + // THEN + const statement = actual.principalStatements.find(x => x.actions.includes('route53:ChangeResourceRecordSets')); + expect(statement).not.toBeUndefined(); + expect(statement?.conditions).toEqual({ + 'ForAllValues:StringEquals': { + 'route53:ChangeResourceRecordSetsRecordTypes': ['NS'], + 'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'], + 'route53:ChangeResourceRecordSetsNormalizedRecordNames': ['gamma.example.com', 'beta.example.com'], + }, + }); + }); + + test('grantDelegation with delegatedZoneNames returns ChangeResourceRecordSets statement with octal encoded zone name', () => { + // GIVEN + const stack = new cdk.Stack(); + const grantee = new iam.User(stack, 'Grantee'); + const hostedZone = new HostedZone(stack, 'zone', { + zoneName: 'example.com', + }); + + // WHEN + const actual = util.makeGrantDelegation(grantee, hostedZone, { + delegatedZoneNames: ['!"#$%&\'()*+,-/:;<=>?@[\]^_`{|}~.example.com'], + }); + + // THEN + const statement = actual.principalStatements.find(x => x.actions.includes('route53:ChangeResourceRecordSets')); + expect(statement).not.toBeUndefined(); + expect(statement?.conditions).toEqual({ + 'ForAllValues:StringEquals': { + 'route53:ChangeResourceRecordSetsRecordTypes': ['NS'], + 'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'], + 'route53:ChangeResourceRecordSetsNormalizedRecordNames': ['\\041\\042\\043\\044\\045\\046\\047\\050\\051\\052\\053\\054-\\057\\072\\073\\074\\075\\076\\077\\100\\133\\135\\136_\\140\\173\\174\\175\\176.example.com'], + }, + }); + }, + ); + + test('grantDelegation with token in delegatedZoneNames bypasses validation', () => { + // GIVEN + const stack = new cdk.Stack(); + const grantee = new iam.User(stack, 'Grantee'); + const hostedZone = new HostedZone(stack, 'zone', { + zoneName: 'example.com.', + }); + + // WHEN + const delegatedZoneName = cdk.Token.asAny('my-zone-name').toString(); + const actual = util.makeGrantDelegation(grantee, hostedZone, { + delegatedZoneNames: [delegatedZoneName], + }); + + // THEN + const statement = actual.principalStatements.find(x => x.actions.includes('route53:ChangeResourceRecordSets')); + expect(statement).not.toBeUndefined(); + expect(statement?.conditions).toEqual({ + 'ForAllValues:StringEquals': { + 'route53:ChangeResourceRecordSetsRecordTypes': ['NS'], + 'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'], + 'route53:ChangeResourceRecordSetsNormalizedRecordNames': [delegatedZoneName], + }, + }); + }); + + test('grantDelegation with token in delegatedZoneNames but suffixed with period fails validation', () => { + // GIVEN + const stack = new cdk.Stack(); + const grantee = new iam.User(stack, 'Grantee'); + const hostedZone = new HostedZone(stack, 'zone', { + zoneName: 'example.com.', + }); + + // WHEN + const opts: GrantDelegationOptions = { + delegatedZoneNames: [`${cdk.Token.asAny('my-zone-name').toString()}.`], + }; + + // THEN + expect(() => + util.makeGrantDelegation(grantee, hostedZone, opts), + ).toThrow(cdk.UnscopedValidationError); + }); + + test('grantDelegation with token in hosted zone partially bypasses validation', () => { + // GIVEN + const stack = new cdk.Stack(); + const grantee = new iam.User(stack, 'Grantee'); + const hostedZone = new HostedZone(stack, 'zone', { + zoneName: cdk.Token.asAny('my-zone-name').toString(), + }); + + // WHEN + const delegatedZoneName = 'bob.example.com'; + const actual = util.makeGrantDelegation(grantee, hostedZone, { + delegatedZoneNames: [delegatedZoneName], + }); + + // THEN + const statement = actual.principalStatements.find(x => x.actions.includes('route53:ChangeResourceRecordSets')); + expect(statement).not.toBeUndefined(); + expect(statement?.conditions).toEqual({ + 'ForAllValues:StringEquals': { + 'route53:ChangeResourceRecordSetsRecordTypes': ['NS'], + 'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'], + 'route53:ChangeResourceRecordSetsNormalizedRecordNames': [delegatedZoneName], + }, + }); + }); + + test.each([[' '], ['com'], ['example.com'], ['a.example.com.'], ['A.example.com']])( + 'grantDelegation with invalid delegated zone name \'%s\' throws UnscopedValidationError', + (invalidZoneName) => { + // GIVEN + const stack = new cdk.Stack(); + const grantee = new iam.User(stack, 'Grantee'); + const hostedZone = new HostedZone(stack, 'zone', { + zoneName: 'example.com', + }); + + // WHEN + const opts: GrantDelegationOptions = { delegatedZoneNames: [invalidZoneName] }; + + // THEN + expect(() => + util.makeGrantDelegation(grantee, hostedZone, opts), + ).toThrow(cdk.UnscopedValidationError); + }, + ); });