Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(route53): CrossAccountZoneDelegationRecord is still using Node 16 #26980

Merged
merged 16 commits into from
Sep 5, 2023
Merged
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
// eslint-disable-next-line import/no-extraneous-dependencies
import { Credentials, Route53, STS } from 'aws-sdk';
import { Route53 } from '@aws-sdk/client-route-53';
// eslint-disable-next-line import/no-extraneous-dependencies
import { fromTemporaryCredentials } from '@aws-sdk/credential-providers';

interface ResourceProperties {
AssumeRoleArn: string,
Expand Down Expand Up @@ -30,8 +32,19 @@ async function cfnEventHandler(props: ResourceProperties, isDeleteEvent: boolean
throw Error('One of ParentZoneId or ParentZoneName must be specified');
}

const credentials = await getCrossAccountCredentials(AssumeRoleArn, !!UseRegionalStsEndpoint);
const route53 = new Route53({ credentials });
const timestamp = (new Date()).getTime();
const route53 = new Route53({
credentials: fromTemporaryCredentials({
clientConfig: {
useGlobalEndpoint: !UseRegionalStsEndpoint,
region: 'us-east-1', // hardcoding is one option to avoid denied permission errors
},
params: {
RoleArn: AssumeRoleArn,
RoleSessionName: `cross-account-zone-delegation-${timestamp}`,
},
}),
});

const parentZoneId = ParentZoneId ?? await getHostedZoneIdByName(ParentZoneName!, route53);

Expand All @@ -48,38 +61,17 @@ async function cfnEventHandler(props: ResourceProperties, isDeleteEvent: boolean
},
}],
},
}).promise();
}

async function getCrossAccountCredentials(roleArn: string, regionalEndpoint: boolean): Promise<Credentials> {
const sts = new STS(regionalEndpoint ? { stsRegionalEndpoints: 'regional' } : {});
const timestamp = (new Date()).getTime();

const { Credentials: assumedCredentials } = await sts
.assumeRole({
RoleArn: roleArn,
RoleSessionName: `cross-account-zone-delegation-${timestamp}`,
})
.promise();

if (!assumedCredentials) {
throw Error('Error getting assume role credentials');
}

return new Credentials({
accessKeyId: assumedCredentials.AccessKeyId,
secretAccessKey: assumedCredentials.SecretAccessKey,
sessionToken: assumedCredentials.SessionToken,
});
}

async function getHostedZoneIdByName(name: string, route53: Route53): Promise<string> {
const zones = await route53.listHostedZonesByName({ DNSName: name }).promise();
const matchedZones = zones.HostedZones.filter(zone => zone.Name === `${name}.`);
const zones = await route53.listHostedZonesByName({ DNSName: name });
const matchedZones = zones.HostedZones?.filter(zone => zone.Name === `${name}.`) ?? [];

if (matchedZones.length !== 1) {
if (matchedZones && matchedZones.length !== 1) {
throw Error(`Expected one hosted zone to match the given name but found ${matchedZones.length}`);
}

return matchedZones[0].Id;
}
// will always be defined because we throw if length !==1
return matchedZones[0].Id!;
}
4 changes: 2 additions & 2 deletions packages/aws-cdk-lib/aws-route53/lib/record-set.ts
Original file line number Diff line number Diff line change
Expand Up @@ -795,7 +795,7 @@ export class CrossAccountZoneDelegationRecord extends Construct {

const provider = CustomResourceProvider.getOrCreateProvider(this, CROSS_ACCOUNT_ZONE_DELEGATION_RESOURCE_TYPE, {
codeDirectory: path.join(__dirname, 'cross-account-zone-delegation-handler'),
runtime: CustomResourceProviderRuntime.NODEJS_16_X,
runtime: CustomResourceProviderRuntime.NODEJS_18_X,
});

const role = iam.Role.fromRoleArn(this, 'cross-account-zone-delegation-handler-role', provider.roleArn);
Expand All @@ -819,7 +819,7 @@ export class CrossAccountZoneDelegationRecord extends Construct {
DelegatedZoneName: props.delegatedZone.zoneName,
DelegatedZoneNameServers: props.delegatedZone.hostedZoneNameServers!,
TTL: (props.ttl || Duration.days(2)).toSeconds(),
UseRegionalStsEndpoint: useRegionalStsEndpoint ? 'true' : undefined,
UseRegionalStsEndpoint: useRegionalStsEndpoint ? 'true' : undefined, // does this matter?
},
});

Expand Down