Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(route53): DNSSEC zone signing #28604

Merged
merged 4 commits into from
Apr 16, 2024
Merged

feat(route53): DNSSEC zone signing #28604

merged 4 commits into from
Apr 16, 2024

Conversation

laurelmay
Copy link
Contributor

This makes it possible to enable DNSSEC signing for a Route 53 hosted zone. A new KeySigningKey construct is created to enable generally creating KSKs. Additionally, an enableDnssec method is added to HostedZone that provides an easier interface. The later will create the KSK and further create the necessary AWS::Route53::DNSSEC resource to actually enable signing on the resource.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team January 7, 2024 06:10
@github-actions github-actions bot added p2 star-contributor [Pilot] contributed between 25-49 PRs to the CDK labels Jan 7, 2024
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 7, 2024
@laurelmay laurelmay changed the title feat(route53): enable DNSSEC signing feat(route53): support DNSSEC zone signing Jan 8, 2024
@kaizencc kaizencc changed the title feat(route53): support DNSSEC zone signing feat(route53): DNSSEC zone signing Jan 9, 2024
Copy link
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me 👍
I left some comments for minor changes.


constructor(scope: Construct, id: string, props: KeySigningKeyProps) {
super(scope, id, {
physicalName: props.keySigningKeyName ?? Lazy.string({
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add validation for keySigningKeyName according to the docs.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't actually love doing this because if the service team changes this, we have to make an additional code change to allow customers to use the new pattern as well. I tend to think that the deploy time validation should be good enough in this case.

Another option I've been considering is trying to add something into our overall validation at synth that takes in any of these patterns and checks against it, but that's much much larger project than this.

});
// The KSK must exist and be in an 'ACTIVE' status before DNSSEC can be enabled.
dnssec.addDependency(this.keySigningKey.node.defaultChild as CfnKeySigningKey);
return this.keySigningKey;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to return the key? 🤔

@msambol
Copy link
Contributor

msambol commented Mar 21, 2024

@kylelaker This one looks really close. Want to address @lpizzinidev comments? I can help get it over the finish line if you're swamped.

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Apr 16, 2024
@TheRealAmazonKendra TheRealAmazonKendra changed the title feat(route53): DNSSEC zone signing feat(route53): DNSSEC zone signing Apr 16, 2024
Copy link
Contributor

@TheRealAmazonKendra TheRealAmazonKendra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that the only sticking point here was really whether or not to add synth time validation, I think this is ready to go. If it is arguable that we really should have that validation, it isn't a breaking change to add it later.

Thank you for this!

@aws-cdk-automation aws-cdk-automation dismissed their stale review April 16, 2024 21:27

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@TheRealAmazonKendra
Copy link
Contributor

@Mergifyio update

Copy link
Contributor

mergify bot commented Apr 16, 2024

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/close-stale-prs.yml without workflows permission

@TheRealAmazonKendra
Copy link
Contributor

Get it together Mergify.

@mergify mergify bot dismissed TheRealAmazonKendra’s stale review April 16, 2024 23:02

Pull request has been modified.

Copy link
Contributor

mergify bot commented Apr 16, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 058d4c2
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 213fffc into aws:main Apr 16, 2024
9 checks passed
Copy link
Contributor

mergify bot commented Apr 16, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
p2 star-contributor [Pilot] contributed between 25-49 PRs to the CDK
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants