Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(route53resolver-alpha): fetch managed domain list id using custom resource #27085

Closed
wants to merge 32 commits into from
Closed

feat(route53resolver-alpha): fetch managed domain list id using custom resource #27085

wants to merge 32 commits into from

Conversation

clueleaf
Copy link
Contributor

Currently you have to specify the managed domain list ID manually in order to use it in a DNS firewall rule.
This PR adds a custom resource that finds the ID from a managed domain list name, along with a new FirewallManagedDomainList class that creates the custom resource and implements IFirewallDomainList.

Closes #25614

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 valued-contributor [Pilot] contributed between 6-12 PRs to the CDK labels Sep 10, 2023
@aws-cdk-automation aws-cdk-automation requested a review from a team September 10, 2023 05:05
aws-cdk-automation
aws-cdk-automation previously requested changes Sep 10, 2023
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@aws-cdk-automation aws-cdk-automation added pr/reviewer-clarification-requested The contributor has requested clarification on feedback, a failing build, or a failing PR Linter run pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Sep 10, 2023
@aws-cdk-automation aws-cdk-automation dismissed their stale review September 10, 2023 11:52

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation removed the pr/reviewer-clarification-requested The contributor has requested clarification on feedback, a failing build, or a failing PR Linter run label Sep 10, 2023
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@github-actions github-actions bot mentioned this pull request Oct 1, 2023
Closed
clueleaf and others added 4 commits October 1, 2023 17:05
@clueleaf
Merge branch 'main' into feat/route53resolver
fcd82d6 
# Conflicts:
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/LambdaNodeJsLatestIntegDefaultTestDeployAssertD40B5C28.assets.json
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/LambdaNodeJsLatestIntegDefaultTestDeployAssertD40B5C28.template.json
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.0b3f5699e02d713af8ae5766d9389821142c47d17818a940c2cf9b314b1f869d/index.js
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.0b3f5699e02d713af8ae5766d9389821142c47d17818a940c2cf9b314b1f869d/node_modules/.yarn-integrity
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.0b3f5699e02d713af8ae5766d9389821142c47d17818a940c2cf9b314b1f869d/node_modules/delay/index.d.ts
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.0b3f5699e02d713af8ae5766d9389821142c47d17818a940c2cf9b314b1f869d/node_modules/delay/index.js
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.0b3f5699e02d713af8ae5766d9389821142c47d17818a940c2cf9b314b1f869d/node_modules/delay/license
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.0b3f5699e02d713af8ae5766d9389821142c47d17818a940c2cf9b314b1f869d/node_modules/delay/package.json
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.0b3f5699e02d713af8ae5766d9389821142c47d17818a940c2cf9b314b1f869d/node_modules/delay/readme.md
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.0b3f5699e02d713af8ae5766d9389821142c47d17818a940c2cf9b314b1f869d/package.json
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.0b3f5699e02d713af8ae5766d9389821142c47d17818a940c2cf9b314b1f869d/yarn.lock
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.4364f9f746d12ebe3971915c6d21f444f56a624c83b24a0a0eb3ad111da37fa0.bundle/index.js
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.5c2c08a7bf5b5beff386f4f0bd21f6e002dda28002148757b3d572b235414e5c/node_modules/.yarn-integrity
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.5c2c08a7bf5b5beff386f4f0bd21f6e002dda28002148757b3d572b235414e5c/node_modules/delay/index.d.ts
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.5c2c08a7bf5b5beff386f4f0bd21f6e002dda28002148757b3d572b235414e5c/node_modules/delay/index.js
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.5c2c08a7bf5b5beff386f4f0bd21f6e002dda28002148757b3d572b235414e5c/node_modules/delay/license
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.5c2c08a7bf5b5beff386f4f0bd21f6e002dda28002148757b3d572b235414e5c/node_modules/delay/package.json
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.5c2c08a7bf5b5beff386f4f0bd21f6e002dda28002148757b3d572b235414e5c/node_modules/delay/readme.md
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.5c2c08a7bf5b5beff386f4f0bd21f6e002dda28002148757b3d572b235414e5c/package.json
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.5c2c08a7bf5b5beff386f4f0bd21f6e002dda28002148757b3d572b235414e5c/yarn.lock
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.857be83e8ab6a1d9b812ae68df0a948fd5fcd6ee578ae2c7793512fdbe647611/node_modules/.yarn-integrity
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.857be83e8ab6a1d9b812ae68df0a948fd5fcd6ee578ae2c7793512fdbe647611/node_modules/delay/index.d.ts
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.857be83e8ab6a1d9b812ae68df0a948fd5fcd6ee578ae2c7793512fdbe647611/node_modules/delay/index.js
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.857be83e8ab6a1d9b812ae68df0a948fd5fcd6ee578ae2c7793512fdbe647611/node_modules/delay/license
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.857be83e8ab6a1d9b812ae68df0a948fd5fcd6ee578ae2c7793512fdbe647611/node_modules/delay/package.json
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.857be83e8ab6a1d9b812ae68df0a948fd5fcd6ee578ae2c7793512fdbe647611/node_modules/delay/readme.md
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.857be83e8ab6a1d9b812ae68df0a948fd5fcd6ee578ae2c7793512fdbe647611/package.json
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.857be83e8ab6a1d9b812ae68df0a948fd5fcd6ee578ae2c7793512fdbe647611/yarn.lock
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/asset.b7c985ebfbf370ce93607a33c3851adc0b2b6a530f4c06be487e3c2ec3c06c39.bundle/index.js
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/cdk-integ-lambda-nodejs-latest.assets.json
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/cdk-integ-lambda-nodejs-latest.template.json
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/manifest.json
#	packages/@aws-cdk-testing/framework-integ/test/aws-lambda-nodejs/test/integ.latest.js.snapshot/tree.json
#	packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.intrinsics.js.snapshot/asset.b7c985ebfbf370ce93607a33c3851adc0b2b6a530f4c06be487e3c2ec3c06c39.bundle/index.js
#	packages/@aws-cdk/custom-resource-handlers/package.json
#	yarn.lock
@clueleaf
remove unnecessary files
861c0e9
@clueleaf
add @resource doc tag
d5538a5
@vinayak-kukreja
Merge branch 'main' into feat/route53resolver
ea4b833
lpizzinidev
lpizzinidev suggested changes Oct 27, 2023
View reviewed changes
Copy link
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks (and sorry for the late review) 👍
Looks good!
Just some minor adjustments to be made in my opinion.

packages/@aws-cdk/aws-route53resolver-alpha/lib/firewall-managed-domain-list.ts Outdated
Comment on lines 61 to 62
* and DNS tunneling to help block multiple types of threats.
* Includes the `AmazonGuardDutyThreatList.`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* and DNS tunneling to help block multiple types of threats.
* Includes the `AmazonGuardDutyThreatList.`
* and DNS tunneling to help block multiple types of threats.
*
* Includes the `AmazonGuardDutyThreatList`.

packages/@aws-cdk/aws-route53resolver-alpha/lib/firewall-managed-domain-list.ts Outdated
Comment on lines 67 to 68
* Domains associated with Amazon GuardDuty DNS security findings.
* The domains are sourced from the GuardDuty's threat intelligence systems only,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Domains associated with Amazon GuardDuty DNS security findings.
* The domains are sourced from the GuardDuty's threat intelligence systems only,
* Domains associated with Amazon GuardDuty DNS security findings.
*
* The domains are sourced from the GuardDuty's threat intelligence systems only,

packages/@aws-cdk/aws-route53resolver-alpha/test/firewall-managed-domain-list.test.ts Outdated
},
],
});
Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {});
Template.fromStack(stack).resourceCountIs('AWS::Lambda::Function', 1);

More appropriate assertion.

packages/@aws-cdk/aws-route53resolver-alpha/lib/firewall-managed-domain-list.ts Outdated
}],
});

const result = new CustomResource(this, 'GetDomainListCustomResource', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const result = new CustomResource(this, 'GetDomainListCustomResource', {
const resource = new CustomResource(this, 'GetDomainListCustomResource', {

Naming.

packages/@aws-cdk/aws-route53resolver-alpha/lib/firewall-managed-domain-list.ts Outdated
},
});

this.firewallDomainListId = result.getAttString('DomainListId');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
this.firewallDomainListId = result.getAttString('DomainListId');
this.firewallDomainListId = resource.getAttString('DomainListId');

.../custom-resource-handlers/lib/aws-route53resolver-alpha/managed-domain-list-handler/index.ts Outdated
switch (event.RequestType) {
case 'Create':
case 'Update':
const domainListName = event.ResourceProperties?.DomainListName;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const domainListName = event.ResourceProperties?.DomainListName;
const domainListName = event.ResourceProperties.DomainListName;

Non-optional.

.../custom-resource-handlers/lib/aws-route53resolver-alpha/managed-domain-list-handler/index.ts Outdated
const domainListId = domainLists.find((domainList) =>
domainList.ManagedOwnerName === 'Route 53 Resolver DNS Firewall'
&& domainList.Name === domainListName,
)?.Id ?? undefined;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
)?.Id ?? undefined;
)?.Id;

Redundant.

.../custom-resource-handlers/lib/aws-route53resolver-alpha/managed-domain-list-handler/index.ts Outdated
/**
* Get all domain lists recursively
*/
async function listDomainLists(nextToken? :string): Promise<FirewallDomainListMetadata[]> {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
async function listDomainLists(nextToken? :string): Promise<FirewallDomainListMetadata[]> {
async function listDomainLists(nextToken?: string): Promise<FirewallDomainListMetadata[]> {

...pshot/asset.b7c985ebfbf370ce93607a33c3851adc0b2b6a530f4c06be487e3c2ec3c06c39.bundle/index.js Outdated
@@ -1,3 +1,4 @@
"use strict";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this file be included?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was committed unintentionally. Reverted it.

@clueleaf
Copy link
Contributor Author

@lpizzinidev Thanks for your detailed review! I think your suggestions are all applied.

lpizzinidev
lpizzinidev approved these changes Oct 28, 2023
View reviewed changes
Copy link
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍

@aws-cdk-automation aws-cdk-automation added pr/needs-maintainer-review This PR needs a review from a Core Team Member and removed pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Oct 28, 2023
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

7 similar comments
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 9d296b5
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR has been in the BUILD FAILING state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

@aws-cdk-automation
Copy link
Collaborator

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

@aws-cdk-automation aws-cdk-automation added the closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. label Dec 17, 2023
@clueleaf clueleaf deleted the feat/route53resolver branch January 19, 2025 10:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lpizzinidev lpizzinidev lpizzinidev approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees
No one assigned
Labels
closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 pr/needs-maintainer-review This PR needs a review from a Core Team Member valued-contributor [Pilot] contributed between 6-12 PRs to the CDK
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

route53resolver: Automatically pulling the ID for an AWS Managed Domain List
6 participants
@clueleaf @aws-cdk-automation @lpizzinidev @vinayak-kukreja @cgarvis @sumupitchayan