https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# getting-started
s
This message was deleted.
m
Shared account pulumi code:
Copy code
const rootZone = new aws.route53.Zone(tldName, {
    name: tldName,
	comment: 'HostedZone created by Route53 Registrar'
}, {
	import: tldZoneId
});

const allowedTargetArns = [
	rootZone.arn
]

const allowedActions = [
	"route53:ChangeResourceRecordSets",
	"route53:CreateHostedZone",
	"route53:DeleteHostedZone",
	"route53:GetChange",
	"route53:GetHostedZone",
	"route53:ListHostedZones",
	"route53:ListResourceRecordSets",
	"route53:UpdateHostedZoneComment"
]

const allowedSourceArns = adminStack.getOutput('crossAccountPermissionPolicyTargets');

const crossAccountAccessRole = new aws.iam.Role(pre('cross-acct-role'), {
    assumeRolePolicy: allowedSourceArns.apply(sourceArns => { 
		return JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                AWS: sourceArns
            },
            Action: "sts:AssumeRole"
        }]
    })
})});

const crossAccountAccessPolicy = new aws.iam.Policy(pre('cross-acct-policy'), {
	policy: pulumi.all(allowedTargetArns).apply(targetArns => {
		return JSON.stringify({
			"Version": "2012-10-17",
			"Statement": [
				{
					"Effect": "Allow",
					"Action": allowedActions,
					"Resource": targetArns
				}
			]
		})
	})
});

const policyAttachment = new aws.iam.RolePolicyAttachment(pre('cross-acct-attach'), {
    role: crossAccountAccessRole.name,
    policyArn: crossAccountAccessPolicy.arn
});
Each environment account's stack:
Copy code
const rootZone = new aws.route53.Zone(pre('dns-zone'), {
    name: tldName,
	comment: 'HostedZone created by Route53 Registrar'
}, rootZoneArn.apply(zoneArn => {
	return { import: zoneArn, provider: sharedAccountProvider }
}) as unknown as { import: string, provider: aws.Provider });

if (!subDomainName) { // If it's the TLD, add an A record to our ALB and we're done!
	const aliasRecord = new aws.route53.Record(pre('dns-alias'), {
		name: tldName, // Replace with your domain/subdomain
		type: "A",
		zoneId: rootZone.id,
		aliases: [{
			name: applicationLoadBalancer.loadBalancer.dnsName,
			zoneId: applicationLoadBalancer.loadBalancer.zoneId,
			evaluateTargetHealth: true,
		}],
	}, );
} else {
	const subDomainZone = new aws.route53.Zone(pre('dns-zone'), {
		name: `${subDomainName}.${tldName}`
	});
	const aliasRecord = new aws.route53.Record(pre('alias-record'), {
		name: `${subDomainName}.${tldName}`,
		type: "A",
		ttl: 60,
		zoneId: subDomainZone.id,
		aliases: [{
			name: applicationLoadBalancer.loadBalancer.dnsName,
			zoneId: applicationLoadBalancer.loadBalancer.zoneId,
			evaluateTargetHealth: true,
		}],
	});
	const nsRecord = new aws.route53.Record(pre('dns-record'), {
		zoneId: rootZone.id,
		name: `${subDomainName}.${tldName}`,
		type: "NS",
		ttl: 86400,
		records: subDomainZone.nameServers,
	}, {
		provider: sharedAccountProvider
	})
}
2 Views
Open in Slack
PreviousNext
Powered by