feat(route53): add support for grantDelegation on imported PublicHostedZone (#26333)

lpizzinidev · web-flow · commit a93af2fec36d · 2023-08-18T17:10:18.000Z
Imported `PublicHostedZone` with `fromPublicHostedZoneId` and `fromPublicHostedZoneAttributes` don't have support for the `grantDelegation` method since they return an instance of type `IPublicHostedZone`. This change adds support for `grantDelegation` to those instances as well. Closes #26240. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.js.snapshot/aws-cdk-route53-cross-account-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.js.snapshot/aws-cdk-route53-cross-account-integ.assets.json
@@ -14,15 +14,15 @@
         }
       }
     },
-    "3222f491727b0389ac87f972f2443b490ff3cee14d24c28f1527c3f085cab460": {
+    "52da24cb67101152630cedcc08830f183f595580f8a7f6fcef1e0aac216c7198": {
       "source": {
         "path": "aws-cdk-route53-cross-account-integ.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "3222f491727b0389ac87f972f2443b490ff3cee14d24c28f1527c3f085cab460.json",
+          "objectKey": "52da24cb67101152630cedcc08830f183f595580f8a7f6fcef1e0aac216c7198.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.js.snapshot/aws-cdk-route53-cross-account-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.js.snapshot/aws-cdk-route53-cross-account-integ.template.json
@@ -302,6 +302,86 @@
    ],
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"
+  },
+  "Role1ABCC5F0": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "RoleDefaultPolicy5FFB7DAB": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "route53:ChangeResourceRecordSets",
+       "Condition": {
+        "ForAllValues:StringEquals": {
+         "route53:ChangeResourceRecordSetsRecordTypes": [
+          "NS"
+         ],
+         "route53:ChangeResourceRecordSetsActions": [
+          "UPSERT",
+          "DELETE"
+         ]
+        }
+       },
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          "arn:",
+          {
+           "Ref": "AWS::Partition"
+          },
+          ":route53:::hostedzone/imported-public-zone-id"
+         ]
+        ]
+       }
+      },
+      {
+       "Action": "route53:ListHostedZonesByName",
+       "Effect": "Allow",
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "RoleDefaultPolicy5FFB7DAB",
+    "Roles": [
+     {
+      "Ref": "Role1ABCC5F0"
+     }
+    ]
+   }
   }
  },
  "Parameters": {
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.js.snapshot/manifest.json
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3222f491727b0389ac87f972f2443b490ff3cee14d24c28f1527c3f085cab460.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/52da24cb67101152630cedcc08830f183f595580f8a7f6fcef1e0aac216c7198.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -93,6 +93,18 @@
             "data": "DelegationWithZoneNameCrossAccountZoneDelegationCustomResourceA1A1C94A"
           }
         ],
+        "/aws-cdk-route53-cross-account-integ/Role/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "Role1ABCC5F0"
+          }
+        ],
+        "/aws-cdk-route53-cross-account-integ/Role/DefaultPolicy/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "RoleDefaultPolicy5FFB7DAB"
+          }
+        ],
         "/aws-cdk-route53-cross-account-integ/BootstrapVersion": [
           {
             "type": "aws:cdk:logicalId",
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.js.snapshot/tree.json
@@ -427,6 +427,138 @@
               "version": "0.0.0"
             }
           },
+          "Role": {
+            "id": "Role",
+            "path": "aws-cdk-route53-cross-account-integ/Role",
+            "children": {
+              "ImportRole": {
+                "id": "ImportRole",
+                "path": "aws-cdk-route53-cross-account-integ/Role/ImportRole",
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.Resource",
+                  "version": "0.0.0"
+                }
+              },
+              "Resource": {
+                "id": "Resource",
+                "path": "aws-cdk-route53-cross-account-integ/Role/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::IAM::Role",
+                  "aws:cdk:cloudformation:props": {
+                    "assumeRolePolicyDocument": {
+                      "Statement": [
+                        {
+                          "Action": "sts:AssumeRole",
+                          "Effect": "Allow",
+                          "Principal": {
+                            "AWS": {
+                              "Fn::Join": [
+                                "",
+                                [
+                                  "arn:",
+                                  {
+                                    "Ref": "AWS::Partition"
+                                  },
+                                  ":iam::",
+                                  {
+                                    "Ref": "AWS::AccountId"
+                                  },
+                                  ":root"
+                                ]
+                              ]
+                            }
+                          }
+                        }
+                      ],
+                      "Version": "2012-10-17"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_iam.CfnRole",
+                  "version": "0.0.0"
+                }
+              },
+              "DefaultPolicy": {
+                "id": "DefaultPolicy",
+                "path": "aws-cdk-route53-cross-account-integ/Role/DefaultPolicy",
+                "children": {
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "aws-cdk-route53-cross-account-integ/Role/DefaultPolicy/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::IAM::Policy",
+                      "aws:cdk:cloudformation:props": {
+                        "policyDocument": {
+                          "Statement": [
+                            {
+                              "Action": "route53:ChangeResourceRecordSets",
+                              "Condition": {
+                                "ForAllValues:StringEquals": {
+                                  "route53:ChangeResourceRecordSetsRecordTypes": [
+                                    "NS"
+                                  ],
+                                  "route53:ChangeResourceRecordSetsActions": [
+                                    "UPSERT",
+                                    "DELETE"
+                                  ]
+                                }
+                              },
+                              "Effect": "Allow",
+                              "Resource": {
+                                "Fn::Join": [
+                                  "",
+                                  [
+                                    "arn:",
+                                    {
+                                      "Ref": "AWS::Partition"
+                                    },
+                                    ":route53:::hostedzone/imported-public-zone-id"
+                                  ]
+                                ]
+                              }
+                            },
+                            {
+                              "Action": "route53:ListHostedZonesByName",
+                              "Effect": "Allow",
+                              "Resource": "*"
+                            }
+                          ],
+                          "Version": "2012-10-17"
+                        },
+                        "policyName": "RoleDefaultPolicy5FFB7DAB",
+                        "roles": [
+                          {
+                            "Ref": "Role1ABCC5F0"
+                          }
+                        ]
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_iam.CfnPolicy",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_iam.Policy",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.aws_iam.Role",
+              "version": "0.0.0"
+            }
+          },
+          "ImportedPublicZone": {
+            "id": "ImportedPublicZone",
+            "path": "aws-cdk-route53-cross-account-integ/ImportedPublicZone",
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.Resource",
+              "version": "0.0.0"
+            }
+          },
           "BootstrapVersion": {
             "id": "BootstrapVersion",
             "path": "aws-cdk-route53-cross-account-integ/BootstrapVersion",
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.cross-account-zone-delegation.ts
@@ -32,8 +32,16 @@ new CrossAccountZoneDelegationRecord(stack, 'DelegationWithZoneName', {
   delegationRole: parentZone.crossAccountZoneDelegationRole!,
 });
 
+const role = new iam.Role(stack, 'Role', {
+  assumedBy: new iam.AccountRootPrincipal(),
+});
+
+const importedPublicZone = PublicHostedZone.fromPublicHostedZoneId(stack, 'ImportedPublicZone', 'imported-public-zone-id');
+importedPublicZone.grantDelegation(role);
+
 new IntegTest(app, 'Route53CrossAccountInteg', {
   testCases: [stack],
   diffAssets: true,
 });
+
 app.synth();
diff --git a/packages/aws-cdk-lib/aws-ec2/README.md b/packages/aws-cdk-lib/aws-ec2/README.md
@@ -980,8 +980,8 @@ Endpoint services support private DNS, which makes it easier for clients to conn
 You can enable private DNS on an endpoint service like so:
 
 ```ts
-import { HostedZone, VpcEndpointServiceDomainName } from 'aws-cdk-lib/aws-route53';
-declare const zone: HostedZone;
+import { PublicHostedZone, VpcEndpointServiceDomainName } from 'aws-cdk-lib/aws-route53';
+declare const zone: PublicHostedZone;
 declare const vpces: ec2.VpcEndpointService;
 
 new VpcEndpointServiceDomainName(this, 'EndpointDomain', {
diff --git a/packages/aws-cdk-lib/aws-route53/README.md b/packages/aws-cdk-lib/aws-route53/README.md
@@ -289,6 +289,20 @@ const zoneFromAttributes = route53.PublicHostedZone.fromPublicHostedZoneAttribut
 const zoneFromId = route53.PublicHostedZone.fromPublicHostedZoneId(this, 'MyZone', 'ZOJJZC49E0EPZ');
 ```
 
+You can use `CrossAccountZoneDelegationRecord` on imported Public Hosted Zones with the `grantDelegation` method:
+
+```ts
+const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
+  // The role name must be predictable
+  roleName: 'MyDelegationRole',
+  // The other account
+  assumedBy: new iam.AccountPrincipal('12345678901'),
+});
+
+const zoneFromId = route53.PublicHostedZone.fromPublicHostedZoneId(this, 'MyZone', 'ZOJJZC49E0EPZ');
+zoneFromId.grantDelegation(crossAccountRole);
+```
+
 ## VPC Endpoint Service Private DNS
 
 When you create a VPC endpoint service, AWS generates endpoint-specific DNS hostnames that consumers use to communicate with the service.
diff --git a/packages/aws-cdk-lib/aws-route53/lib/hosted-zone.ts b/packages/aws-cdk-lib/aws-route53/lib/hosted-zone.ts
@@ -3,7 +3,7 @@ import { HostedZoneProviderProps } from './hosted-zone-provider';
 import { HostedZoneAttributes, IHostedZone, PublicHostedZoneAttributes } from './hosted-zone-ref';
 import { CaaAmazonRecord, ZoneDelegationRecord } from './record-set';
 import { CfnHostedZone } from './route53.generated';
-import { makeHostedZoneArn, validateZoneName } from './util';
+import { makeGrantDelegation, makeHostedZoneArn, validateZoneName } from './util';
 import * as ec2 from '../../aws-ec2';
 import * as iam from '../../aws-iam';
 import * as cxschema from '../../cloud-assembly-schema';
@@ -238,7 +238,12 @@ export interface PublicHostedZoneProps extends CommonHostedZoneProps {
 /**
  * Represents a Route 53 public hosted zone
  */
-export interface IPublicHostedZone extends IHostedZone { }
+export interface IPublicHostedZone extends IHostedZone {
+  /**
+   * Grant permissions to add delegation records to this zone
+   */
+  grantDelegation(grantee: iam.IGrantable): iam.Grant;
+}
 
 /**
  * Create a Route53 public hosted zone.
@@ -264,6 +269,9 @@ export class PublicHostedZone extends HostedZone implements IPublicHostedZone {
       public get hostedZoneArn(): string {
         return makeHostedZoneArn(this, this.hostedZoneId);
       }
+      public grantDelegation(grantee: iam.IGrantable): iam.Grant {
+        return makeGrantDelegation(grantee, this.hostedZoneArn);
+      };
     }
     return new Import(scope, id);
   }
@@ -284,6 +292,9 @@ export class PublicHostedZone extends HostedZone implements IPublicHostedZone {
       public get hostedZoneArn(): string {
         return makeHostedZoneArn(this, this.hostedZoneId);
       }
+      public grantDelegation(grantee: iam.IGrantable): iam.Grant {
+        return makeGrantDelegation(grantee, this.hostedZoneArn);
+      };
     }
     return new Import(scope, id);
   }
@@ -354,28 +365,8 @@ export class PublicHostedZone extends HostedZone implements IPublicHostedZone {
     });
   }
 
-  /**
-   * Grant permissions to add delegation records to this zone
-   */
-  public grantDelegation(grantee: iam.IGrantable) {
-    const g1 = iam.Grant.addToPrincipal({
-      grantee,
-      actions: ['route53:ChangeResourceRecordSets'],
-      resourceArns: [this.hostedZoneArn],
-      conditions: {
-        'ForAllValues:StringEquals': {
-          'route53:ChangeResourceRecordSetsRecordTypes': ['NS'],
-          'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'],
-        },
-      },
-    });
-    const g2 = iam.Grant.addToPrincipal({
-      grantee,
-      actions: ['route53:ListHostedZonesByName'],
-      resourceArns: ['*'],
-    });
-
-    return g1.combine(g2);
+  public grantDelegation(grantee: iam.IGrantable): iam.Grant {
+    return makeGrantDelegation(grantee, this.hostedZoneArn);
   }
 }
 
diff --git a/packages/aws-cdk-lib/aws-route53/lib/util.ts b/packages/aws-cdk-lib/aws-route53/lib/util.ts
diff --git a/packages/aws-cdk-lib/aws-route53/test/hosted-zone.test.ts b/packages/aws-cdk-lib/aws-route53/test/hosted-zone.test.ts

Original file line number	Diff line number	Diff line change
`@@ -14,15 +14,15 @@`
`14`	`14`	`}`
`15`	`15`	`}`
`16`	`16`	`},`
`17`		`- "3222f491727b0389ac87f972f2443b490ff3cee14d24c28f1527c3f085cab460": {`
	`17`	`+ "52da24cb67101152630cedcc08830f183f595580f8a7f6fcef1e0aac216c7198": {`
`18`	`18`	`"source": {`
`19`	`19`	`"path": "aws-cdk-route53-cross-account-integ.template.json",`
`20`	`20`	`"packaging": "file"`
`21`	`21`	`},`
`22`	`22`	`"destinations": {`
`23`	`23`	`"current_account-current_region": {`
`24`	`24`	`"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",`
`25`		`- "objectKey": "3222f491727b0389ac87f972f2443b490ff3cee14d24c28f1527c3f085cab460.json",`
	`25`	`+ "objectKey": "52da24cb67101152630cedcc08830f183f595580f8a7f6fcef1e0aac216c7198.json",`
`26`	`26`	`"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"`
`27`	`27`	`}`
`28`	`28`	`}`