Question for the group, does anyone have an exampl...
# general
w
Question for the group, does anyone have an example of setting up cross-account with delegated DNS to child accounts? Main account has mydomain.com, dev account has dev.mydomain.com ?
s
you might consider just hooking up the route53 hosted zone by hand, we had a contractor setup our early dns setup for our new QA account like this I believe, id have to dig into our vpc stacks but just plugging in a hosted zone you linked up by hand isn't a terrible early decision to get you going
i just came in here to check if anyone's figured out an easy check to put into my index files to ensure i'm running the stack on the right aws cli profile here myself, it can create a real cross account mess so be careful there
w
What I had considered was having pulumi manage the sub accounts domain, then manually copy the NS references to the main account domain. Is that what your team did?
exporting them to pulumi output in the UI
s
i believe we setup the cross account hosted zone by hand and then either entered it in via config or used an import. if you're new, importing things can be a real life saver, especially if you're trying to get existing infra into code. There's a section in most components in the docs take a look there.
l
DNS doesn't care about AWS accounts, just domain names and IP addresses. You can set up your Route53 config in any account. The resources it points to can that account or other accounts. It doesn't matter.
No need to copy anything anywhere.
It is fairly common practice to have an AWS provider for Route53, separate from the main one for all other resources. One stack can deploy resources to multiple accounts using multiple providers: DNS resources to the account where Route53 is configured, and other resources to any number of other accounts.
w
@little-cartoon-10569 I am not sure I follow. I have a main account that setups a domain mydomain.com in the main account then I have another domain in a different account I want to be a subdomain of that account. dev.mydomain.com. if dev.mydomain.com is in a different Route53 in a different account I have to copy the NS records back to the main account so the main account will delegate that subdomain. Therefore I have to know the results of the subdomain creation in order to update the main account hosted zone records. How does one stack deploy to multiple accounts using multiple providers?
l
Just pass the correct provider to the correct resource. Manually create whatever providers you need, and pass the main accord provider to resources that need to go there, and the other account's provider to the resources that belong in that account. https://www.pulumi.com/docs/intro/concepts/resources/providers/#explicit-provider-configuration
Re: having the subdomain in a different account: while you can do this, you don't need to. It's fine to have all the subdomains in the same AWS account and hosted zone. The records can point to resources in the other account.
Having them all in one place can make it a lot easier to manage. Your infra ops team can have write access to Route53 in one account, without needing access to all the accounts with all the other resources. Principle of Least Privilege :)
s
yeah we're an older org and opted to do a separate account for the new qa env to silo management and auditing for it until we can get prod on new infra and cleanup a LOT of existing resources
l
Okay, then you'll use different providers for different parts of your DNS setup. Same same but different 🙂
w
🙏