feat(route53): add support for grantDelegation on imported PublicHostedZone

packages/aws-cdk-lib/aws-route53/README.md

@@ -255,6 +255,18 @@ const zoneFromAttributes = route53.PublicHostedZone.fromPublicHostedZoneAttribut
 const zoneFromId = route53.PublicHostedZone.fromPublicHostedZoneId(this, 'MyZone', 'ZOJJZC49E0EPZ');
 ```
 
+You can use `CrossAccountZoneDelegationRecord` on imported Public Hosted Zones with the `grantDelegation` method:
+
+```ts
+const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
+  // The role name must be predictable
+  roleName: 'MyDelegationRole',
+  // The other account
+  assumedBy: new iam.AccountPrincipal('12345678901'),
+});
+zoneFromId.grantDelegation(crossAccountRole);
+```
+
 ## VPC Endpoint Service Private DNS
 
 When you create a VPC endpoint service, AWS generates endpoint-specific DNS hostnames that consumers use to communicate with the service.

packages/aws-cdk-lib/aws-route53/lib/hosted-zone.ts

@@ -3,7 +3,7 @@ import { HostedZoneProviderProps } from './hosted-zone-provider';
 import { HostedZoneAttributes, IHostedZone, PublicHostedZoneAttributes } from './hosted-zone-ref';
 import { CaaAmazonRecord, ZoneDelegationRecord } from './record-set';
 import { CfnHostedZone } from './route53.generated';
-import { makeHostedZoneArn, validateZoneName } from './util';
+import { makeGrantDelegation, makeHostedZoneArn, validateZoneName } from './util';
 import * as ec2 from '../../aws-ec2';
 import * as iam from '../../aws-iam';
 import * as cxschema from '../../cloud-assembly-schema';
@@ -238,7 +238,12 @@ export interface PublicHostedZoneProps extends CommonHostedZoneProps {
 /**
  * Represents a Route 53 public hosted zone
  */
-export interface IPublicHostedZone extends IHostedZone { }
+export interface IPublicHostedZone extends IHostedZone {
+  /**
+   * Grant permissions to add delegation records to this zone
+   */
+  grantDelegation(grantee: iam.IGrantable): void;
+}
 
 /**
  * Create a Route53 public hosted zone.
@@ -264,6 +269,9 @@ export class PublicHostedZone extends HostedZone implements IPublicHostedZone {
       public get hostedZoneArn(): string {
         return makeHostedZoneArn(this, this.hostedZoneId);
       }
+      public grantDelegation(grantee: iam.IGrantable) {
+        makeGrantDelegation(grantee, this.hostedZoneArn);
+      };
     }
     return new Import(scope, id);
   }
@@ -284,6 +292,9 @@ export class PublicHostedZone extends HostedZone implements IPublicHostedZone {
       public get hostedZoneArn(): string {
         return makeHostedZoneArn(this, this.hostedZoneId);
       }
+      public grantDelegation(grantee: iam.IGrantable) {
+        makeGrantDelegation(grantee, this.hostedZoneArn);
+      };
     }
     return new Import(scope, id);
   }
@@ -354,28 +365,8 @@ export class PublicHostedZone extends HostedZone implements IPublicHostedZone {
     });
   }
 
-  /**
-   * Grant permissions to add delegation records to this zone
-   */
   public grantDelegation(grantee: iam.IGrantable) {
-    const g1 = iam.Grant.addToPrincipal({
-      grantee,
-      actions: ['route53:ChangeResourceRecordSets'],
-      resourceArns: [this.hostedZoneArn],
-      conditions: {
-        'ForAllValues:StringEquals': {
-          'route53:ChangeResourceRecordSetsRecordTypes': ['NS'],
-          'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'],
-        },
-      },
-    });
-    const g2 = iam.Grant.addToPrincipal({
-      grantee,
-      actions: ['route53:ListHostedZonesByName'],
-      resourceArns: ['*'],
-    });
-
-    return g1.combine(g2);
+    makeGrantDelegation(grantee, this.hostedZoneArn);
   }
 }
 

packages/aws-cdk-lib/aws-route53/lib/util.ts

@@ -1,5 +1,6 @@
 import { Construct } from 'constructs';
 import { IHostedZone } from './hosted-zone-ref';
+import * as iam from '../../aws-iam';
 import { Stack } from '../../core';
 
 /**
@@ -69,3 +70,24 @@ export function makeHostedZoneArn(construct: Construct, hostedZoneId: string): s
     resourceName: hostedZoneId,
   });
 }
+
+export function makeGrantDelegation(grantee: iam.IGrantable, hostedZoneArn: string) {
+  const g1 = iam.Grant.addToPrincipal({
+    grantee,
+    actions: ['route53:ChangeResourceRecordSets'],
+    resourceArns: [hostedZoneArn],
+    conditions: {
+      'ForAllValues:StringEquals': {
+        'route53:ChangeResourceRecordSetsRecordTypes': ['NS'],
+        'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'],
+      },
+    },
+  });
+  const g2 = iam.Grant.addToPrincipal({
+    grantee,
+    actions: ['route53:ListHostedZonesByName'],
+    resourceArns: ['*'],
+  });
+
+  return g1.combine(g2);
+}

packages/aws-cdk-lib/aws-route53/test/hosted-zone.test.ts

@@ -288,6 +288,57 @@ test('grantDelegation', () => {
   });
 });
 
+test('grantDelegation on imported public zones', () => {
+  // GIVEN
+  const stack = new cdk.Stack(undefined, 'TestStack', {
+    env: { account: '123456789012', region: 'us-east-1' },
+  });
+
+  const role = new iam.Role(stack, 'Role', {
+    assumedBy: new iam.AccountPrincipal('22222222222222'),
+  });
+
+  const zone = PublicHostedZone.fromPublicHostedZoneId(stack, 'Zone', 'hosted-id');
+
+  // WHEN
+  zone.grantDelegation(role);
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: [
+        {
+          Action: 'route53:ChangeResourceRecordSets',
+          Effect: 'Allow',
+          Resource: {
+            'Fn::Join': [
+              '',
+              [
+                'arn:',
+                {
+                  Ref: 'AWS::Partition',
+                },
+                ':route53:::hostedzone/hosted-id',
+              ],
+            ],
+          },
+          Condition: {
+            'ForAllValues:StringEquals': {
+              'route53:ChangeResourceRecordSetsRecordTypes': ['NS'],
+              'route53:ChangeResourceRecordSetsActions': ['UPSERT', 'DELETE'],
+            },
+          },
+        },
+        {
+          Action: 'route53:ListHostedZonesByName',
+          Effect: 'Allow',
+          Resource: '*',
+        },
+      ],
+    },
+  });
+});
+
 describe('Hosted Zone with dot', () => {
   test('Hosted Zone constructs without trailing dot by default', () => {
     // GIVEN