From 0cada616bc5574ae7f3f7eba37e98ef4bc926bb3 Mon Sep 17 00:00:00 2001
From: Troy B <81539149+miiiak@users.noreply.github.com>
Date: Wed, 10 Jan 2024 11:03:50 -0700
Subject: [PATCH 1/2] docs(route53): crossaccountrole scope-down guidance
 (#28624)

Reference [issue 28596](https://github.com/aws/aws-cdk/issues/28596)

The motivation is to help CDK builders understand how to take advantage of IAM scope-down capabilities to ensure least-privilege cross-account role access related to cross account zone delegation.

The Cross Account Zone Delegation guidance currently includes reference to creating a crossAccountRole, but provides no suggestion on how to safely scope down the role for least-privilege access. We can and should provide this guidance.

E.g.
```
const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
  // The role name must be predictable
  roleName: 'MyDelegationRole',
  // The other account
  assumedBy: new iam.AccountPrincipal('12345678901'),
});
```
should be more like:
```
const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
      // The role name must be predictable
      roleName: 'MyDelegationRole',
      // The other account
      assumedBy: new iam.AccountPrincipal('12345678901'),
      // You can scope down this role policy to be least privileged.
      // If you want the other account to be able to manage specific records,
      // you can scope down by resource and/or normalized record names
      inlinePolicies: {
        "crossAccountPolicy": new iam.PolicyDocument({
          statements: [
            new iam.PolicyStatement({
              sid: "ListHostedZonesByName",
              effect: iam.Effect.ALLOW,
              actions: ["route53:ListHostedZonesByName"],
              resources: ["*"]
            }),
            new iam.PolicyStatement({
              sid: "GetHostedZoneAndChangeResourceRecordSet",
              effect: iam.Effect.ALLOW,
              actions: ["route53:GetHostedZone", "route53:ChangeResourceRecordSet"],
              // This example assumes the RecordSet subdomain.somexample.com
              // is contained in the HostedZone
              resources: ["arn:aws:route53:::hostedzone/HZID00000000000000000"],
              conditions: {
                "ForAllValues:StringLike": {
                  "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
                  "subdomain.someexample.com"
                ]

                }
              }
            })
    });
```
Closes #28596.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 packages/aws-cdk-lib/aws-route53/README.md | 32 +++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/packages/aws-cdk-lib/aws-route53/README.md b/packages/aws-cdk-lib/aws-route53/README.md
index 91dc7baeee353..ce92008765691 100644
--- a/packages/aws-cdk-lib/aws-route53/README.md
+++ b/packages/aws-cdk-lib/aws-route53/README.md
@@ -182,7 +182,7 @@ new route53.ARecord(this, 'ARecord', {
 ### Cross Account Zone Delegation
 
 If you want to have your root domain hosted zone in one account and your subdomain hosted
-zone in a diferent one, you can use `CrossAccountZoneDelegationRecord` to set up delegation
+zone in a different one, you can use `CrossAccountZoneDelegationRecord` to set up delegation
 between them.
 
 In the account containing the parent hosted zone:
@@ -196,6 +196,36 @@ const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
   roleName: 'MyDelegationRole',
   // The other account
   assumedBy: new iam.AccountPrincipal('12345678901'),
+  // You can scope down this role policy to be least privileged.
+  // If you want the other account to be able to manage specific records,
+  // you can scope down by resource and/or normalized record names
+  inlinePolicies: {
+    crossAccountPolicy: new iam.PolicyDocument({
+      statements: [
+        new iam.PolicyStatement({
+          sid: 'ListHostedZonesByName',
+          effect: iam.Effect.ALLOW,
+          actions: ['route53:ListHostedZonesByName'],
+          resources: ['*'],
+        }),
+        new iam.PolicyStatement({
+          sid: 'GetHostedZoneAndChangeResourceRecordSet',
+          effect: iam.Effect.ALLOW,
+          actions: ['route53:GetHostedZone', 'route53:ChangeResourceRecordSet'],
+          // This example assumes the RecordSet subdomain.somexample.com
+          // is contained in the HostedZone
+          resources: ['arn:aws:route53:::hostedzone/HZID00000000000000000'],
+          conditions: {
+            'ForAllValues:StringLike': {
+              'route53:ChangeResourceRecordSetsNormalizedRecordNames': [
+                'subdomain.someexample.com',
+              ],
+            },
+          },
+        }),
+      ],
+    }),
+  },
 });
 parentZone.grantDelegation(crossAccountRole);
 ```

From 1fccb47103f5a19213fdae9ad70bb7e0b6198431 Mon Sep 17 00:00:00 2001
From: Rico Hermans <rix0rrr@gmail.com>
Date: Wed, 10 Jan 2024 19:31:28 +0100
Subject: [PATCH 2/2] chore: auto-sync every fork from upstream (#28653)

Add a GitHub action that will update the current repository from upstream on a daily basis.

This makes it so that various forks of this repository automatically keep themselves up-to-date with the parent repo, and it will be that much easier to make PRs off of a recent, up-to-date clone, without having to do additional manual syncing.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .github/workflows/sync-from-upstream.yml | 59 ++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 .github/workflows/sync-from-upstream.yml

diff --git a/.github/workflows/sync-from-upstream.yml b/.github/workflows/sync-from-upstream.yml
new file mode 100644
index 0000000000000..ebb0403c65ae4
--- /dev/null
+++ b/.github/workflows/sync-from-upstream.yml
@@ -0,0 +1,59 @@
+name: Sync repository from upstream
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: 5 2 * * *
+
+env:
+  BRANCHES: main v2-release
+
+jobs:
+
+  # Check for the presence of a PROJEN_GITHUB_TOKEN secret.
+  #
+  # This is expected to contain a personal access token of someone
+  # who pas permissions to bypass branch protection rules.
+  #
+  # If not present, we will use GitHub Actions Token permissions,
+  # but those are bound by branch protection rules.
+  check-secret:
+    # Don't run on the target repo itself, only forks
+    if: github.repository != 'aws/aws-cdk'
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for presence of PROJEN_GITHUB_TOKEN
+        id: check-secrets
+        run: |
+          if [ ! -z "${{ secrets.PROJEN_GITHUB_TOKEN }}" ]; then
+            echo "ok=true" >> $GITHUB_OUTPUT
+          else
+            echo "ok=false" >> $GITHUB_OUTPUT
+          fi
+    outputs:
+      ok: ${{ steps.check-secrets.outputs.ok }}
+
+  sync-branch:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    needs: [check-secret]
+    steps:
+      - name: Checkout using User Token
+        if: needs.check-secret.outputs.ok == 'true'
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+
+      - name: Checkout using GitHub Actions permissions
+        if: needs.check-secret.outputs.ok == 'false'
+        uses: actions/checkout@v4
+
+      - name: Sync from aws/aws-cdk
+        run: |-
+          git remote add upstream https://github.com/aws/aws-cdk.git
+          git fetch upstream
+
+          for branch in $BRANCHES; do
+            git push origin --force refs/remotes/upstream/$branch:refs/heads/$branch
+          done