Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

route53-patterns for cross account DNS delegation

See original GitHub issue
PR Champion
#

Description

Context

As mention in https://github.com/aws/aws-cdk/issues/8776, It is quite common to securely manage DNS records in a multi accounts organization to have an APEX domain in a dedicated account and sub domains delegated to different accounts (per regions, per stages, per teams …).

Objectives

  • Easy setup
  • Secure top level domain
  • Developer freedom to create subdomains for new services

Glossary

In this RFC we will call the parent zone, the zone representing the higher level of the DNS domain (yourdomain.com for instance), and child zone the sub zone representing the sub DNS domain scoped to a specific sub account (such as dev.yourdomain.com for a dev account) and the service zone the sub zone representing the sub DNS domain scoped to a service instance in a specific child zone (app1.dev.yourdomain.com).

TL;DR;

This RFC propose the following flow

AWSBootstrapKit-Overview-DNS-setup-process-cdk-rfc-v2

API flow proposal 1

DNS account CDK stack

  1. create parent zone as usual

    const parentZone = new route53.PublicHostedZone(this, "TopZone", {
  zoneName: "yourdomain.com"
});

  2. create the subzones

    const devSubZone = new route53.DelegatableZone(this, "DevSubZone", {
  zoneName: "dev.yourdomain.com",
  parentZone: parentZone, // optional
  authorizedPrincipals: [accountPrincipals]
});

The last call will create:

  • a route 53 zone dev.yourdomain.com

  • a NS record in parentZone pointing to NS servers given by the dev.yourdomain.com

  • a role called <accounId>-<subzoneName>-dns-update assumable by the listed account principals and with the following permission:

      {
    resources: ["*"],
    resources: [devSubZone.hostedZoneArn],
    actions: [
      "route53:GetHostedZone",
      "route53:ChangeResourceRecordSets",
      "route53:TestDNSAnswer",
    ],
  }

Stage/team/region… specific account stack

const serviceDNSZone = new CrossAccountDelegatedZone(this, 'service1DNSZone', {
  parentZoneAccountId: dnsAccountId,
  targetRoleToAssume: targetRoleToAssume, // can potentially be deduced from defined roel name structure <accounId>-<subzoneName>-dns-update
  targetHostedZoneId: targetHostedZoneId, // can potentially deduced from zoneName ( with 'zoneName.split(".").splice(1).join(".")' ) + a ListHostedZonesByName call
  recordName: 'service1.dev.yourdomain.com'
        });

API proposal 2

Modify each record type (such as https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-route53.AaaaRecord.html) to have 1 new optional attribute: dnsAccountAssumeRole. This will enable cross accounts records creation and enable any kind of use case.

Maybe we can as well propose an additional trust principals to HostedZone https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-route53.IHostedZone.html to automatically create the assumeRole that allow its update.

Progress

  • Tracking Issue Created
  • RFC PR Created
  • Core Team Member Assigned
  • Initial Approval / Final Comment Period
  • Ready For Implementation
    • implementation issue 1
  • Resolved

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:5
  • Comments:5

github_iconTop GitHub Comments

1reaction
ayush987goyalcommented, Jan 28, 2021

Hi @flochaz and others,

An initial implementation of this functionality is pushed in https://github.com/aws/aws-cdk/pull/12680 Please do check it out and give it a try. You can create new feature requests if more customizations are needed.

Thanks, Ayush

1reaction
OperationalFallacycommented, Dec 17, 2020

Hi, I’m interested in this use case.

What do you think about levereging cdk pipeline for passing zone information around for delegation? Pipeline can deploy sub-zones first, maybe even in parallel. Then it runs cdk for tld and configures delegation using input from previous steps.

In this case there is no need for custom roles and cross account access, pipeline package can take care of it. Thanks!

Read more comments on GitHub >

github_iconTop Results From Across the Web

[Route53] Support for cross account DNS delegation #8776
Creating a global DNS structure across multiple accounts and delegating the regional zones into the right sub-accounts automatically. Proposed ...
Read more >
class CrossAccountZoneDelegationRecord (construct)
A Cross Account Zone Delegation record. Example. const subZone = new route53.PublicHostedZone(this, 'SubZone' ...
Read more >
How can I set up my HostedZone so that it delegates to a ...
The crossAccountZoneDelegationPrincipal gives access to accounts hosting subzones, to access your root zone and write delegation (NS) records ...
Read more >
Managing Route 53 in a Multi-Account Environment
How do we do this without granting access to the entire DNS zone in a single AWS account? We can use delegation. In...
Read more >
Can Route53 delegation sets be used cross-account? - Reddit
In the meantime, the first method you listed is a common & effective pattern for delegating administration of subdomains to other accounts.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

support code signing of assets

Next page

Context provider for cross-account CFN stack outputs