All files / lib/dns cross-account-dns-delegator.ts

100% Statements 11/11
100% Branches 0/0
100% Functions 1/1
100% Lines 11/11

Press n or j to go to the next uncovered block, b, p or k for the previous block.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 913x 3x 3x                                                                                                                 3x     1x             1x   1x       1x   1x   1x 1x                    
import * as core from '@aws-cdk/core';
import * as route53 from '@aws-cdk/aws-route53';
import {CrossAccountZoneDelegationRecord} from "./cross-account-zone-delegation-record";
 
/**
 * Properties to create delegated subzone of a zone hosted in a different account
 * 
 */
export interface ICrossAccountDNSDelegatorProps {
    /**
     * The Account hosting the parent zone
     * Optional since can be resolved if the system has been setup with aws-bootstrap-kit
     */
    targetAccount?: string;
    /**
     * The role to Assume in the parent zone's account which has permissions to update the parent zone
     * Optional since can be resolved if the system has been setup with aws-bootstrap-kit
     */
    targetRoleToAssume?: string;
    /**
     * The parent zone Id to add the sub zone delegation NS record to
     * Optional since can be resolved if the system has been setup with aws-bootstrap-kit
     */
    targetHostedZoneId?: string;
    /**
     * The sub zone name to be created
     */
    zoneName: string;
}
 
/**
 * TODO: propose this to fix https://github.com/aws/aws-cdk/issues/8776
 * High-level construct that creates:
 * 1. A public hosted zone in the current account
 * 2. A record name in the hosted zone id of target account
 *
 * Usage:
 * Create a role with the following permission:
 * {
 *      "Sid": "VisualEditor0",
 *      "Effect": "Allow",
 *      "Action": [
 *          "route53:GetHostedZone",
 *          "route53:ChangeResourceRecordSets"
 *      ],
 *      "Resource": "arn:aws:route53:::hostedzone/ZXXXXXXXXX"
 * }
 *
 * Then use the construct like this:
 *
 * const crossAccountDNSDelegatorProps: ICrossAccountDNSDelegatorProps = {
 *      targetAccount: '1234567890',
 *      targetRoleToAssume: 'DelegateRecordUpdateRoleInThatAccount',
 *      targetHostedZoneId: 'ZXXXXXXXXX',
 *      zoneName: 'subdomain.mydomain.com',
 * };
 *
 * new CrossAccountDNSDelegator(this, 'CrossAccountDNSDelegatorStack', crossAccountDNSDelegatorProps);
 */
export class CrossAccountDNSDelegator extends core.Construct {
    readonly hostedZone: route53.HostedZone;
    constructor(scope: core.Construct, id: string, props: ICrossAccountDNSDelegatorProps) {
        super(scope, id);
 
        const {
            targetAccount,
            targetRoleToAssume,
            targetHostedZoneId,
            zoneName,
        } = props;
 
        const hostedZone = new route53.HostedZone(this, 'HostedZone', {
            zoneName: zoneName
        });
        
        this.hostedZone = hostedZone;
 
        const delegatedNameServers: string[] = hostedZone.hostedZoneNameServers!;
 
        const currentAccountId = core.Stack.of(this).account;
        new CrossAccountZoneDelegationRecord(this, 'CrossAccountZoneDelegationRecord', {
            targetAccount: targetAccount,
            targetRoleToAssume: targetRoleToAssume,
            targetHostedZoneId: targetHostedZoneId,
            recordName: zoneName,
            toDelegateNameServers: delegatedNameServers,
            currentAccountId: currentAccountId
        });
    }
}