Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
provided the hosted zones are passed in via this variable, the solution works as intended.
please open any new issues in the new addons module https://github.com/aws-ia/terraform-aws-eks-blueprints-addons
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bryantbiggs It can be used as a temporary workaround, but it won't work as a long-term solution.
Let's say I have two hosted zones (private hostedzone/1111 and public hostedzone/2222). I want my cluster to use hostedzone/1111 only, because it is a cluster for internal services and these services shouldn't be accessible outside of my cloud.
So ideally I'd like to configure ExternalDNS this way:
But if I do so, ExternalDNS won't work and will be failing with the following error:
As a result, I have to add all zones from my account to
external_dns_route53_zone_arnsvariable to make it work, even though my cluster shouldn't have access to them:And the resulting policy is the following:
So my cluster now has ChangeResourceRecordSets permission for zone 2222 too, and that's not what I planned initially.
Ok, let's say that it is not critical for us and we can live with it, but what happens if we add a third zone (id=3333) after the cluster is created? Right, ExternalDNS will start failing again because there is no ListResourceRecordSets permission for zone 3333 in the policy, so we'll have to update the policies for all our clusters.
That's why I still think that ListResourceRecordSets should be granted to "*" resource, like it was done in the previous versions of Blueprints:
Restricting ListResourceRecordSets permission to specific zone IDs makes no difference for accounts with a single hosted zone (there is just one zone, so having * and 1111 is technically equivalent there), but it breaks everything for environments with multiple R53 zones.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, yes you are correct - I see this here as well https://github.com/kubernetes-sigs/external-dns/blob/64d6bbbbc2aac9e233b07afc6a95ecb4666da023/docs/tutorials/aws.md?plain=1#L29-L36
let me re-open and merge. Would you mind adding this to the new addon module as well via a PR? https://github.com/aws-ia/terraform-aws-eks-blueprints-addons
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I'll create a PR there soon
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is the PR: aws-ia/terraform-aws-eks-blueprints-addons#72