CrossAccountZoneDelegationRecord: Validation fails for public and private hosted zone with the same name

[ENM185]

Describe the bug

CrossAccountZoneDelegationRecord complains about more than 1 matching zone when only one of them is public.

Expected Behavior

Validate that there is only one public hosted zone matching the name.

Current Behavior

Validates that there is only one (no filter by public) hosted zone matching the name. The logic is here:

aws-cdk/packages/@aws-cdk/custom-resource-handlers/lib/aws-route53/cross-account-zone-delegation-handler/index.ts

Line 79 in 623cedb

const zones = await route53.listHostedZonesByName({ DNSName: name });

Reproduction Steps

Create a public and private hosted zone in one account with the same name and then a CrossAccountZoneDelegationRecord in the other.

Possible Solution

Filter by public hosted zone here:

aws-cdk/packages/@aws-cdk/custom-resource-handlers/lib/aws-route53/cross-account-zone-delegation-handler/index.ts

Line 79 in 623cedb

const zones = await route53.listHostedZonesByName({ DNSName: name });

Additional Information/Context

No response

CDK CLI Version

2.136.0

Framework Version

No response

Node.js Version

8.19.4

OS

Linux

Language

TypeScript

Language Version

No response

Other information

No response

[ashishdhingra]

@ENM185 Good afternoon. Thanks for reporting the issue. Could you please share the following:

• Sample CDK code to reproduce the issue.
• Does cdk synth runs fine or gives the above validation error?
• Does error occurs when using latest version of CDK?

I came across useful article https://stackoverflow.com/questions/66616710/how-can-i-set-up-my-hostedzone-so-that-it-delegates-to-a-parent-dns-record-in-an but it would be good to reproduce the issue end-to-end based on your sample code.

Thanks,
Ashish

[ENM185]

cdk synth does not report this error, and it still occurs with the latest version.

I don't think it's useful to provide a CDK example as this is a cross-account issue. To reproduce, create two hosted zones with the same name in one account, one public and one private. Then use the CrossAccountZoneDelegationRecord construct in the other account, where parentHostedZoneName is the same as the zone specified in the first account.

[ashishdhingra]

Reproducible with the following steps:

• Manually create parent hosted zones - one public and one private (let's assume domain name is test-parent-cdk.com) in parent account.
• Configure a named profile in AWS ~/.aws/credentials file (let's call it parent-account-profile).
• Create and deploy below CDK stack for parent account using cdk deploy --profile parent-account-profile:

  import * as cdk from 'aws-cdk-lib';
  import { Construct } from 'constructs';
  import * as iam from 'aws-cdk-lib/aws-iam'
  import * as route53 from 'aws-cdk-lib/aws-route53';
  
  export class Issue30262ParentAccountStack extends cdk.Stack {
    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
      super(scope, id, props);
  
      // Get the Route53 zone based on public hosted zone ID
      const hostedZone = route53.PublicHostedZone.fromHostedZoneId(this, 'parentHostedZone', 'Z0051334ZNUQJBHW4IEM'); //'test-parent-cdk.com');
  
      // Create the role
      const role = new iam.Role(this, 'RootZoneOrganizationRole', {
        assumedBy: new iam.AccountPrincipal('<<PARENT_ACCOUNT_ID>>'),
        roleName: 'Test-CDK-HostedZoneDelegationRole',
      });
  
      // Grant the delegation
      hostedZone.grantDelegation(role);
    }
  }

  This would create role named Test-CDK-HostedZoneDelegationRole in the parent account.
• Create another CDK stack for sub zone account.

  import * as cdk from 'aws-cdk-lib';
  import { Construct } from 'constructs';
  import * as iam from 'aws-cdk-lib/aws-iam'
  import * as route53 from 'aws-cdk-lib/aws-route53';
  
  export class Issue30262SubZoneStack extends cdk.Stack {
    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
      super(scope, id, props);
  
      const subZone = new route53.PublicHostedZone(this, 'SubZone', {
        zoneName: 'sub.someexample.com',
      });
  
      // import the delegation role by constructing the roleArn
      const delegationRoleArn = cdk.Stack.of(this).formatArn({
        region: '', // IAM is global in each partition
        service: 'iam',
        account: '<<<<PARENT_ACCOUNT_ID>>>>', //'parent-account-id'
        resource: 'role',
        resourceName: 'Test-CDK-HostedZoneDelegationRole',
      });
      const delegationRole = iam.Role.fromRoleArn(this, 'DelegationRole', delegationRoleArn);
  
      // create the record
      new route53.CrossAccountZoneDelegationRecord(this, 'delegate', {
        delegatedZone: subZone,
        parentHostedZoneName: 'test-parent-cdk.com', // or you can use parentHostedZoneId
        delegationRole,
      });
    }
  }

  • Configure a named profile in AWS ~/.aws/credentials file (let's call it subzone-account-profile)
  • Run cdk synth --profile subzone-account-profile. It works fine outputting the CloudFormation template.
  • Run cdk deploy -profile subzone-account-profile. CDK deployment in the this sub zone account rolls back (also noticed in the AWS CloudFormation console) with the below error during creation of delegateCrossAccountZoneDelegationCustomResource23BD590B:

    2:02:00 PM | CREATE_FAILED        | Custom::CrossAccountZoneDelegation | delegateCrossAccou...omResource23BD590B
    Received response status [FAILED] from custom resource. Message returned: Error: Expected one hosted zone to match the given name but found 2
    at S (/var/task/index.js:1:1635)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async r (/var/task/index.js:1:1294)
    at async Runtime.handler (/var/task/__entrypoint__.js:1:932) (RequestId: 98b35673-2aa6-4f90-83c7-8f8edf654107)