diff --git a/.github/workflows/sync-from-upstream.yml b/.github/workflows/sync-from-upstream.yml new file mode 100644 index 0000000000000..ebb0403c65ae4 --- /dev/null +++ b/.github/workflows/sync-from-upstream.yml @@ -0,0 +1,59 @@ +name: Sync repository from upstream +on: + workflow_dispatch: {} + schedule: + - cron: 5 2 * * * + +env: + BRANCHES: main v2-release + +jobs: + + # Check for the presence of a PROJEN_GITHUB_TOKEN secret. + # + # This is expected to contain a personal access token of someone + # who pas permissions to bypass branch protection rules. + # + # If not present, we will use GitHub Actions Token permissions, + # but those are bound by branch protection rules. + check-secret: + # Don't run on the target repo itself, only forks + if: github.repository != 'aws/aws-cdk' + + runs-on: ubuntu-latest + steps: + - name: Check for presence of PROJEN_GITHUB_TOKEN + id: check-secrets + run: | + if [ ! -z "${{ secrets.PROJEN_GITHUB_TOKEN }}" ]; then + echo "ok=true" >> $GITHUB_OUTPUT + else + echo "ok=false" >> $GITHUB_OUTPUT + fi + outputs: + ok: ${{ steps.check-secrets.outputs.ok }} + + sync-branch: + runs-on: ubuntu-latest + permissions: + contents: write + needs: [check-secret] + steps: + - name: Checkout using User Token + if: needs.check-secret.outputs.ok == 'true' + uses: actions/checkout@v4 + with: + token: ${{ secrets.PROJEN_GITHUB_TOKEN }} + + - name: Checkout using GitHub Actions permissions + if: needs.check-secret.outputs.ok == 'false' + uses: actions/checkout@v4 + + - name: Sync from aws/aws-cdk + run: |- + git remote add upstream https://github.com/aws/aws-cdk.git + git fetch upstream + + for branch in $BRANCHES; do + git push origin --force refs/remotes/upstream/$branch:refs/heads/$branch + done diff --git a/packages/aws-cdk-lib/aws-route53/README.md b/packages/aws-cdk-lib/aws-route53/README.md index 91dc7baeee353..ce92008765691 100644 --- a/packages/aws-cdk-lib/aws-route53/README.md +++ b/packages/aws-cdk-lib/aws-route53/README.md @@ -182,7 +182,7 @@ new route53.ARecord(this, 'ARecord', { ### Cross Account Zone Delegation If you want to have your root domain hosted zone in one account and your subdomain hosted -zone in a diferent one, you can use `CrossAccountZoneDelegationRecord` to set up delegation +zone in a different one, you can use `CrossAccountZoneDelegationRecord` to set up delegation between them. In the account containing the parent hosted zone: @@ -196,6 +196,36 @@ const crossAccountRole = new iam.Role(this, 'CrossAccountRole', { roleName: 'MyDelegationRole', // The other account assumedBy: new iam.AccountPrincipal('12345678901'), + // You can scope down this role policy to be least privileged. + // If you want the other account to be able to manage specific records, + // you can scope down by resource and/or normalized record names + inlinePolicies: { + crossAccountPolicy: new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + sid: 'ListHostedZonesByName', + effect: iam.Effect.ALLOW, + actions: ['route53:ListHostedZonesByName'], + resources: ['*'], + }), + new iam.PolicyStatement({ + sid: 'GetHostedZoneAndChangeResourceRecordSet', + effect: iam.Effect.ALLOW, + actions: ['route53:GetHostedZone', 'route53:ChangeResourceRecordSet'], + // This example assumes the RecordSet subdomain.somexample.com + // is contained in the HostedZone + resources: ['arn:aws:route53:::hostedzone/HZID00000000000000000'], + conditions: { + 'ForAllValues:StringLike': { + 'route53:ChangeResourceRecordSetsNormalizedRecordNames': [ + 'subdomain.someexample.com', + ], + }, + }, + }), + ], + }), + }, }); parentZone.grantDelegation(crossAccountRole); ```