Automated cross account DNS management through CFN and API access through API gateway

It’s a general best practice to manage all DNS entries in Route53 in a centralized AWS account. In that case it is difficult to automate the DNS record creation/deletion based on resources created in another AWS account using CloudFormation. CloudFormation doesn’t yet have the capability to create resources in a different AWS account.

Combining IAM role delegation, AWS Lambda & CFN Custom resources provides us a solution. I have extended the same solution by exposing the Lambda function through API gateway which provides a powerful mechanism. The illustration give below explains the solution.

Route53

Solution 1: Automated cross account DNS management through CFN.

Create an IAM role (LambdaUpdateRoute53Role) in the external AWS account where CFN will create the resources which require access to manage the DNS entries in the master AWS account. This role should have normal lambda permissions and permission to assume role. Sample IAM policy that can be used for this role is below.

Sample IAM Policy.

In the master AWS account where all the DNS entries are maintained, create an IAM role (CrossAccountR53Role) which has permissions to manage the record sets of the required Route53 hosted zone. This role should have a trust relationship defined to enable IAM roles of 3rd party account to assume this role.

Permissions Policy

Trust Relationships

A quick reminder:The IAM role which needs to be added to the trust relationships should be created before it’s added to the trust relationships.

Lambda function accepts the following parameters that are required to create a record set.

  • RoleArn – ARN of the CrossAccountR53Role in Master AWS account which will be assumed to create the record set.
  • HostedZoneId – ID of the hosted zone in Route53 were this record needs to be created.
  • Name – DNS name that needs to be created.
  • Type – DNS record type that needs to be created. (CNAME / A)
  • Alias – Whether it’s an Alias record type. (true/false).
  • DNSName – DNS name of the resource to which the record needs to be mapped in case of CNAME record type or alias of ‘A’ record type.
  • IP – IP address to which the record needs to be mapped in case of ‘A’ record.
  • ResourceHostedZoneId – Hosted Zone ID of the AWS resource (ELB, CloudFront, R53 or S3) to which the alias ‘A’ record needs to be created.

This function creates the proper input parameter for the API request based on the record type, then assumes the role of the CrossAccountR53Role and invokes the API to create record type based on the input parameters.

Lambda Function

In CFN invoke this Lambda function with appropriate parameters for different scenarios.

Alias record for ELB

CNAME record for RDS endpoint

A record for Elastic IP

This function also handles the delete operation. When the stack gets deleted, it will automatically delete the corresponding DNS entries from Route53.

Solution 2: Manage DNS entries from anywhere using API gateway.

Lambda & API gateway is a brilliant combination. We will just reuse the above script and remove the assume role functionality (as shown below) since this Lambda function can be executed from the same AWS.

Lambda Function to support API Gateway

Create a specific IAM role for this Lambda function which allows access to CloudWatch logs & updating the resource record sets of specific hosted zone id.

IAM role for Lambda Function.

Once the Lambda function has been created API gateway endpoint can be added directly from the Lambda screen as shown below. Provide a name for the API, select Method as POST and provide a deployment name. As you can see, I have used “Open” access for security just for the ease of demo. Never allow open access unless you know the impact of it.

API_GW.png

Once submitted, it will create the API endpoint and provide the URL.

API_GW_EP.png

With just a simple curl, we can do a POST request to this endpoint and create/delete the API endpoint as shown below.

Create Record:

Delete Record:

Things to improve: A lot can be improved on the script to support DNS health checks and failover. API gateway can be used in a better way and that in itself is a beast.

Leave a Comment

Your email address will not be published.

2 Trackbacks

  1. AWS Week in Review – November 23, 2015 | SMACBUZZ (Pingback)
  2. AWS Week in Review – November 23, 2015 | wart1949 (Pingback)