feat(route53): support restricting delegated zone names when using grantDelegation

[Kasra-G]

Issue # (if applicable)

Closes #28078.

Reason for this change

Allowing the option to restrict the hosted zone names the delegation role can create records for encourages minimum permissions setup. The linked issue establishes a fairly common usecase - different roles for dev.example.come and prod.example.com,

Description of changes

Adds the interface GrantDelegationOptions, with optional readonly prop delegatedZoneNames. This interface is used as an optional prop to hostedZone.grantDelegation().

Example usage:

declare const zone: IHostedZone
declare const role: Role

zone.grantDelegation(role, {
  delegatedZoneNames: ['a.example.com'],
})

Added some validation that ensures each of the delegatedZoneNames is a valid subdomain of the parent hosted zone.

Additionally, updated the README with usage instructions and fixed an outdated code example for how to use grantDelegation. This code example was giving too broad permissions that what was necessary.

Describe any new or updated permissions being added

when delegatedZoneNames is provided with [a.example.com], the following condition is added:

"ForAllValues:StringEquals": {
 "route53:ChangeResourceRecordSetsRecordTypes": [
  "NS"
 ],
 "route53:ChangeResourceRecordSetsActions": [
  "UPSERT",
  "DELETE"
 ],
+ "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
+  "a.example.com"
+ ]

Description of how you validated changes

Updated Integ and unit tests

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 88ea9b1
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[pahud]

A few minor suggestions for consideration:

1. Input Validation: Consider adding validation that the provided record names are valid DNS names to catch errors early rather than at IAM policy evaluation time.

2. Documentation Enhancement: It might be helpful to clarify in the README that the record names should be the actual NS record names that will be created (e.g., for delegating beta.example.com, you'd specify ['beta.example.com']).

3. Property Naming: While nameEquals is clear, recordNames or allowedRecordNames might be slightly more intuitive for users.

These are minor suggestions - the core implementation is solid. Thanks for contributing this useful feature to the CDK!

[jochemd]

Maybe the property should be named subZones or childZones to reinforce this only grants rights to create NS records.

Update: so according to RFC 9499 DNS Terminology there is no uniform name, but child zone is definitely the most common name.

[Kasra-G]

Exemption requested for the Security Guardian check - the fix would be to restrict the trust policy on the delegation role to specific role name, but the CrossAccountZoneDelegationRecord does not allow you to specify a role name.

Additionally, the integ test is using conditions to limit access

[Kasra-G]

Tokens in delegatedZoneNames or the hosted zone name now bypass most validation logic, because if these are things like stack parameters we have no way to validate them.

Additionally we now handle the octal code conversion in the delegated zone name which is something I missed on the first iteration. Names with tokens in them are not encoded.

Characters other than a–z, 0–9, - (hyphen), _ (underscore), and . (period, as a delimiter between labels) must use escape codes in the format \three-digit octal code. For example, \052 is the octal code for character *

[Abogical]

LGTM. Thank you!
I've requested another reviewer to sign of on this before merging for next release.

[Abogical]

@Mergifyio update

[mergify]

update

❌ Mergify doesn't have permission to update

Details

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/analytics-metadata-updater.yml without workflows permission

[Kasra-G]

Noticed opportunity for a small improvement in the input validation order, went ahead and updated it

[mergify]

Thank you for contributing! Your pull request will be automatically updated and merged (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/integration-test-deployment.yml without workflows permission.

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.