Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

route53: HostedZone should have a hostedZoneArn property #4744

Closed
AlexZeitler opened this issue Oct 29, 2019 · 5 comments · Fixed by #5230
Closed

route53: HostedZone should have a hostedZoneArn property #4744

AlexZeitler opened this issue Oct 29, 2019 · 5 comments · Fixed by #5230
Assignees
Labels
@aws-cdk/aws-route53 Related to Amazon Route 53 feature-request A feature should be added or improved. good first issue Related to contributions. See CONTRIBUTING.md in-progress This issue is being actively worked on.

Comments

@AlexZeitler
Copy link
Contributor

AlexZeitler commented Oct 29, 2019

❓ General Issue

The Question

I'm trying to create a IAM group with a policy attached to change DNS records for a Route53 hosted zone.

This is my code:

const group = new iam.Group(this, 'group', {
      groupName: 'ci-ui-iam-group'
    })

const zone = route53.HostedZone.fromLookup(this, 'zone', {
      domainName: 'mydomain.com'
    })

group.addManagedPolicy(
      new iam.ManagedPolicy(this, 'AllowChangeRecordSets', {
        managedPolicyName: 'allow-change-record-sets',
        statements: [
          new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            resources: [`arn:aws:route53:::${zone.hostedZoneId}`],
            actions: ['route53:ChangeResourceRecordSets']
          })
        ]
      })
    )

It creates the group as well as the policy, whose JSON looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "route53:ChangeResourceRecordSets",
      "Resource": "arn:aws:route53:::/hostedzone/<SomeHostedZoneId>",
      "Effect": "Allow"
    }
  ]
}

When opening the new Policy in AWS Console, I get this warning:

image

When changing the Resource entry like this (removing the / before hostedzone):

"Resource": "arn:aws:route53:::hostedzone/<SomeHostedZoneId>",

the policy is fixed.

So my question is: can I get hostedzone/<SomeHostedZoneId> using AWS CDK instead of /hostedzone/<SomeHostedZoneId> so I don't have to remove the leading / myself?

Or even better: is there a function in the CDK which allows me to get the full ARN for this zone?

Environment

  • CDK CLI Version: 1.15.0
  • Module Version: 1.15.0
  • OS: Darwin mbp.local 19.0.0 Darwin Kernel Version 19.0.0: Wed Sep 25 20:18:50 PDT 2019; root:xnu-6153.11.26~2/RELEASE_X86_64 x86_64
  • Language: TypeScript

Other information

@AlexZeitler AlexZeitler added the needs-triage This issue or PR still needs to be triaged. label Oct 29, 2019
@SomayaB SomayaB added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Oct 29, 2019
@SomayaB SomayaB added the guidance Question that needs advice or information. label Oct 29, 2019
@AlexZeitler AlexZeitler changed the title [@aws-cdk/aws-iam] Get hosted zone id without leading slash or complete ARN [@aws-cdk/aws-iam/@aws-cdk/route53] Get hosted zone id without leading slash or complete ARN Oct 29, 2019
@abelmokadem
Copy link
Contributor

I think the entire /hostedzone/ part should be removed. This attribute should just return the ID of the hosted zone.

@AlexZeitler
Copy link
Contributor Author

That’s what I expected it to be when using it for the first time.

@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label Nov 12, 2019
@SomayaB SomayaB assigned SomayaB and unassigned SomayaB Nov 12, 2019
@SomayaB SomayaB added the needs-triage This issue or PR still needs to be triaged. label Nov 15, 2019
@rix0rrr rix0rrr assigned shivlaks and unassigned rix0rrr Nov 27, 2019
@rix0rrr rix0rrr changed the title [@aws-cdk/aws-iam/@aws-cdk/route53] Get hosted zone id without leading slash or complete ARN route53: HostedZone should have a hostedZoneArn property Nov 27, 2019
@rix0rrr
Copy link
Contributor

rix0rrr commented Nov 27, 2019

You should not have to construct the ARN yourself, the class should do this for you.

@rix0rrr rix0rrr added feature-request A feature should be added or improved. good first issue Related to contributions. See CONTRIBUTING.md and removed guidance Question that needs advice or information. labels Nov 27, 2019
@abelmokadem
Copy link
Contributor

I see that the title was changed, but what about the issue of getting the /hostedzone/ as part of the hosted zone id when importing a hosted zone? When creating a hosted zone in cdk, the id only returns the id part and does not prefixes it with /hostedzone/.

@AlexZeitler
Copy link
Contributor Author

Having consistent behavior between creating the HostedZone and importing it using route53.HostedZone.fromLookup would be great.

@SomayaB SomayaB added @aws-cdk/aws-route53 Related to Amazon Route 53 and removed @aws-cdk/aws-iam Related to AWS Identity and Access Management needs-triage This issue or PR still needs to be triaged. labels Nov 27, 2019
@SomayaB SomayaB added the in-progress This issue is being actively worked on. label Nov 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-route53 Related to Amazon Route 53 feature-request A feature should be added or improved. good first issue Related to contributions. See CONTRIBUTING.md in-progress This issue is being actively worked on.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants