fix(route53): add vpce:AllowMultiRegion permission to VpcEndpointServiceDomainName

When using VpcEndpointServiceDomainName with a VpcEndpointService that has
cross-region PrivateLink enabled via allowedRegions, the custom resource
Lambda fails because the IAM policy is missing the vpce:AllowMultiRegion
permission.

This change updates the EnableDns custom resource to use an explicit policy
with both ec2:ModifyVpcEndpointServiceConfiguration and vpce:AllowMultiRegion
permissions, scoped to the specific VPC endpoint service resource.

Fixes #36216

Author: Tiago Queiroz

packages/aws-cdk-lib/aws-route53/lib/vpc-endpoint-service-domain-name.ts

@@ -1,5 +1,6 @@
 import { Construct } from 'constructs';
 import { IVPCEndpointServiceRef } from '../../aws-ec2';
+import * as iam from '../../aws-iam';
 import { Fn, Names, Stack } from '../../core';
 import { ValidationError } from '../../core/lib/errors';
 import { md5hash } from '../../core/lib/helpers-internal';
@@ -109,25 +110,28 @@ export class VpcEndpointServiceDomainName extends Construct {
         RemovePrivateDnsName: true,
       },
     };
+    const serviceArn = Fn.join(':', [
+      'arn',
+      Stack.of(this).partition,
+      'ec2',
+      Stack.of(this).region,
+      Stack.of(this).account,
+      Fn.join('/', ['vpc-endpoint-service', serviceId]),
+    ]);
+
     const enable = new AwsCustomResource(this, 'EnableDns', {
       onCreate: enablePrivateDnsAction,
       onUpdate: enablePrivateDnsAction,
       onDelete: removePrivateDnsAction,
-      policy: AwsCustomResourcePolicy.fromSdkCalls({
-        resources: [
-          Fn.join(':', [
-            'arn',
-            Stack.of(this).partition,
-            'ec2',
-            Stack.of(this).region,
-            Stack.of(this).account,
-            Fn.join('/', [
-              'vpc-endpoint-service',
-              serviceId,
-            ]),
-          ]),
-        ],
-      }),
+      policy: AwsCustomResourcePolicy.fromStatements([
+        new iam.PolicyStatement({
+          actions: [
+            'ec2:ModifyVpcEndpointServiceConfiguration',
+            'vpce:AllowMultiRegion',
+          ],
+          resources: [serviceArn],
+        }),
+      ]),
       // APIs are available in 2.1055.0
       installLatestAwsSdk: false,
     });

packages/aws-cdk-lib/aws-route53/test/vpc-endpoint-service-domain-name.test.ts

@@ -278,3 +278,32 @@ test('endpoint domain name property equals input domain name', () => {
   });
   expect(dn.domainName).toEqual('name-test.aws-cdk.dev');
 });
+
+test('EnableDns custom resource policy includes vpce:AllowMultiRegion permission', () => {
+  // GIVEN
+  const testVpces = new VpcEndpointService(stack, 'TestVPCES', {
+    vpcEndpointServiceLoadBalancers: [nlb],
+  });
+
+  // WHEN
+  new VpcEndpointServiceDomainName(stack, 'EndpointDomain', {
+    endpointService: testVpces,
+    domainName: 'my-stuff.aws-cdk.dev',
+    publicHostedZone: zone,
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: [
+        {
+          Action: [
+            'ec2:ModifyVpcEndpointServiceConfiguration',
+            'vpce:AllowMultiRegion',
+          ],
+          Effect: 'Allow',
+        },
+      ],
+    },
+  });
+});