Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CrossAccountZoneDelegationRecord: Validation fails for public and private hosted zone with the same name #30262

Closed
ENM185 opened this issue May 17, 2024 · 5 comments · Fixed by #30439 · 4 remaining pull requests
Closed

CrossAccountZoneDelegationRecord: Validation fails for public and private hosted zone with the same name #30262

ENM185 opened this issue May 17, 2024 · 5 comments · Fixed by #30439 · 4 remaining pull requests
Assignees
Labels
@aws-cdk/aws-route53 Related to Amazon Route 53 bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@ENM185
Copy link

ENM185 commented May 17, 2024

Describe the bug

CrossAccountZoneDelegationRecord complains about more than 1 matching zone when only one of them is public.

Expected Behavior

Validate that there is only one public hosted zone matching the name.

Current Behavior

Validates that there is only one (no filter by public) hosted zone matching the name. The logic is here:

const zones = await route53.listHostedZonesByName({ DNSName: name });

Reproduction Steps

Create a public and private hosted zone in one account with the same name and then a CrossAccountZoneDelegationRecord in the other.

Possible Solution

Filter by public hosted zone here:

const zones = await route53.listHostedZonesByName({ DNSName: name });

Additional Information/Context

No response

CDK CLI Version

2.136.0

Framework Version

No response

Node.js Version

8.19.4

OS

Linux

Language

TypeScript

Language Version

No response

Other information

No response

@ENM185 ENM185 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 17, 2024
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label May 17, 2024
@ENM185 ENM185 changed the title (module name): (short issue description) CrossAccountZoneDelegationRecord: Validation fails for public and private hosted zone with the same name May 17, 2024
@ashishdhingra ashishdhingra self-assigned this May 20, 2024
@ashishdhingra ashishdhingra added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels May 20, 2024
@ashishdhingra
Copy link
Contributor

@ENM185 Good afternoon. Thanks for reporting the issue. Could you please share the following:

  • Sample CDK code to reproduce the issue.
  • Does cdk synth runs fine or gives the above validation error?
  • Does error occurs when using latest version of CDK?

I came across useful article https://stackoverflow.com/questions/66616710/how-can-i-set-up-my-hostedzone-so-that-it-delegates-to-a-parent-dns-record-in-an but it would be good to reproduce the issue end-to-end based on your sample code.

Thanks,
Ashish

@ashishdhingra ashishdhingra added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 20, 2024
@ENM185
Copy link
Author

ENM185 commented May 20, 2024

cdk synth does not report this error, and it still occurs with the latest version.

I don't think it's useful to provide a CDK example as this is a cross-account issue. To reproduce, create two hosted zones with the same name in one account, one public and one private. Then use the CrossAccountZoneDelegationRecord construct in the other account, where parentHostedZoneName is the same as the zone specified in the first account.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 21, 2024
@ashishdhingra
Copy link
Contributor

Reproducible with the following steps:

  • Manually create parent hosted zones - one public and one private (let's assume domain name is test-parent-cdk.com) in parent account.
  • Configure a named profile in AWS ~/.aws/credentials file (let's call it parent-account-profile).
  • Create and deploy below CDK stack for parent account using cdk deploy --profile parent-account-profile:
    import * as cdk from 'aws-cdk-lib';
    import { Construct } from 'constructs';
    import * as iam from 'aws-cdk-lib/aws-iam'
    import * as route53 from 'aws-cdk-lib/aws-route53';
    
    export class Issue30262ParentAccountStack extends cdk.Stack {
      constructor(scope: Construct, id: string, props?: cdk.StackProps) {
        super(scope, id, props);
    
        // Get the Route53 zone based on public hosted zone ID
        const hostedZone = route53.PublicHostedZone.fromHostedZoneId(this, 'parentHostedZone', 'Z0051334ZNUQJBHW4IEM'); //'test-parent-cdk.com');
    
        // Create the role
        const role = new iam.Role(this, 'RootZoneOrganizationRole', {
          assumedBy: new iam.AccountPrincipal('<<PARENT_ACCOUNT_ID>>'),
          roleName: 'Test-CDK-HostedZoneDelegationRole',
        });
    
        // Grant the delegation
        hostedZone.grantDelegation(role);
      }
    }
    This would create role named Test-CDK-HostedZoneDelegationRole in the parent account.
  • Create another CDK stack for sub zone account.
    import * as cdk from 'aws-cdk-lib';
    import { Construct } from 'constructs';
    import * as iam from 'aws-cdk-lib/aws-iam'
    import * as route53 from 'aws-cdk-lib/aws-route53';
    
    export class Issue30262SubZoneStack extends cdk.Stack {
      constructor(scope: Construct, id: string, props?: cdk.StackProps) {
        super(scope, id, props);
    
        const subZone = new route53.PublicHostedZone(this, 'SubZone', {
          zoneName: 'sub.someexample.com',
        });
    
        // import the delegation role by constructing the roleArn
        const delegationRoleArn = cdk.Stack.of(this).formatArn({
          region: '', // IAM is global in each partition
          service: 'iam',
          account: '<<<<PARENT_ACCOUNT_ID>>>>', //'parent-account-id'
          resource: 'role',
          resourceName: 'Test-CDK-HostedZoneDelegationRole',
        });
        const delegationRole = iam.Role.fromRoleArn(this, 'DelegationRole', delegationRoleArn);
    
        // create the record
        new route53.CrossAccountZoneDelegationRecord(this, 'delegate', {
          delegatedZone: subZone,
          parentHostedZoneName: 'test-parent-cdk.com', // or you can use parentHostedZoneId
          delegationRole,
        });
      }
    }
    • Configure a named profile in AWS ~/.aws/credentials file (let's call it subzone-account-profile)
    • Run cdk synth --profile subzone-account-profile. It works fine outputting the CloudFormation template.
    • Run cdk deploy -profile subzone-account-profile. CDK deployment in the this sub zone account rolls back (also noticed in the AWS CloudFormation console) with the below error during creation of delegateCrossAccountZoneDelegationCustomResource23BD590B:
      2:02:00 PM | CREATE_FAILED        | Custom::CrossAccountZoneDelegation | delegateCrossAccou...omResource23BD590B
      Received response status [FAILED] from custom resource. Message returned: Error: Expected one hosted zone to match the given name but found 2
      at S (/var/task/index.js:1:1635)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async r (/var/task/index.js:1:1294)
      at async Runtime.handler (/var/task/__entrypoint__.js:1:932) (RequestId: 98b35673-2aa6-4f90-83c7-8f8edf654107)
      

@ashishdhingra ashishdhingra added p1 effort/medium Medium work item – several days of effort and removed needs-reproduction This issue needs reproduction. labels May 21, 2024
@ashishdhingra ashishdhingra removed their assignment May 21, 2024
@ashishdhingra ashishdhingra added @aws-cdk/aws-route53 Related to Amazon Route 53 and removed package/tools Related to AWS CDK Tools or CLI labels May 21, 2024
@samson-keung samson-keung self-assigned this May 29, 2024
@mergify mergify bot closed this as completed in #30439 Jun 11, 2024
mergify bot pushed a commit that referenced this issue Jun 11, 2024
…ith same name (#30439)

### Issue # (if applicable)

Closes #30262.

### Reason for this change

Route53 does not support subdomain delegation on Private Hosted Zones ([source](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-considerations.html#hosted-zone-private-considerations-delegating-subdomain)). `CrossAccountZoneDelegationRecord` should ignore Private Hosted Zones instead of throwing error.

### Description of changes

In `CrossAccountZoneDelegationRecord` handler, filter out Private Hosted Zones.

### Description of how you validated changes

Deployed a stack that uses the updated `CrossAccountZoneDelegationRecord` handler where the parent account has both public and private hosted zones with the same domain name.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

mazyu36 pushed a commit to mazyu36/aws-cdk that referenced this issue Jun 22, 2024
…ith same name (aws#30439)

### Issue # (if applicable)

Closes aws#30262.

### Reason for this change

Route53 does not support subdomain delegation on Private Hosted Zones ([source](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-considerations.html#hosted-zone-private-considerations-delegating-subdomain)). `CrossAccountZoneDelegationRecord` should ignore Private Hosted Zones instead of throwing error.

### Description of changes

In `CrossAccountZoneDelegationRecord` handler, filter out Private Hosted Zones.

### Description of how you validated changes

Deployed a stack that uses the updated `CrossAccountZoneDelegationRecord` handler where the parent account has both public and private hosted zones with the same domain name.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.