3

I do have three AWS accounts:

  • Shared (Where the aws-cdk pipelines live)
  • Development
  • Production

The Shared account owns a route53 domain name with the corresponding zone.

I do want to allow Development and Production to be able to use those domain names (attach dns records, say dev.domainname.com)

Edit: I need to access other resources (s3 buckets, certificatemanager, ...) in the shared account as well, this was a simplification for the sake of the question.

I bootstrapped the accounts and cross account deployment of pipeline stages works as per this guide

If I try to deploy a stack which uses the domain it fails as expected since the role (cfn-exec-role) in the Development stack has no permissions on the resources of the Shared Stack.

I could go and attach the necessary policies in the Shared Stack allowing the Roles in the Development and Production Stack access the the necesserary resource but is there any way to solve this in Code as per "Infrastructe as Code"?

This would require getting the execution roles of the Development and Production accounts and attaching permissions in the Shared Account

pfried
  • 5,000
  • 2
  • 38
  • 71
  • What do you mean by "execution roles" here? – gshpychka Nov 12 '21 at 14:56
  • cdk pipelines has two roles which are used to deploy a stack (created by the bootstrapping step) the deploying role (creating the resources) is the cfn-exec-role – pfried Nov 15 '21 at 07:32

2 Answers2

4

Because Route53 supports cross-account subdomain Hosted Zones, you can avoid cross-account resource-sharing or permissions. Create a dev.domainname.com Hosted Zone in your development account and a domainname.com Hosted Zone in your production account.

const hostedZone = HostedZone.fromLookup(this, 'HostedZone', {
  // synth-time hosted zone lookup
  domainName: props.isProd ? 'domainname.com' : 'dev.domainname.com',
});
fedonev
  • 20,327
  • 2
  • 25
  • 34
  • Okay, I guess this was oversimplified for my question as I have the issue for the root zone as well since there are a dozens of domains and also I need to use other resources like the certificate manager and s3 buckets. I need to solve this on a more generalistic level – pfried Nov 03 '21 at 05:41
3

So I assume you want something like this (GitHub): enter image description here The main difference is that you don't want to manually create the roles in the prod/dev account and your dev-env is also in a different account.

I would extent this by creating a different CDK stack which creates the roles CodePipelineCrossAccountRole (policy) and CloudFormationDeploymentRole (policy) on prod. In your case the same is also required for dev. Deploy these stacks in dev and prod and you can access the roles by their ARN in the pipeline-stack. And in an similar fashion you can extend this to give cross-account access to other shared resources as is already implemented for the artifact bucket en KMS.

Chiel
  • 1,865
  • 1
  • 11
  • 24
  • 1
    I guess this is the right answer, maybe I will be able to provide an example, the manual part must be removed as this is error prone and not suitable for CI/CD, even if it is a one time action – pfried Nov 15 '21 at 09:39