mirrors/external-dns
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/external-dns.git synced 2026-05-04 22:26:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

docs(aws): add missing supported DNS record types in Route53 ABAC (#5839)

Browse Source 
* fix(aws): warn on TXT AccessDenied due to ABAC

ExternalDNS writes TXT ownership records. ABAC missing TXT can cause 403
AccessDenied from Route 53.

* Update AWS ABAC docs to include TXT in record types
* Log entries when AccessDenied occurs and batch contains TXT
* Added unit tests for AccessDenied detection, TXT detection and logging

Refs: #5773

Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>

* fix(aws): Drop prescriptive IAM warning

* Return the first Route 53 error from `submitChanges` so operators see
  the original AWS message
* Remove IAM-guessing branch while keeping split-and-retry submission
* Tidy error test and fall back to `provider.NewSoftErrorf` when no AWS
  error was captured
* Add tests for error return on failures upon zone submission

Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>

* fix(aws): Remove TXT-specific error handling

Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>

* fix(aws): Remove Route53 final error message

Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>

* fix(aws): Remove unused import of `error`

Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>

---------

Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>
This commit is contained in:
Tobias Harnickell 2025-09-17 19:10:11 +02:00 committed by GitHub
parent c2276d8b84
commit 413015ea76
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/tutorials/aws-sd.md
View File

@ -74,7 +74,7 @@ Using tags, your `servicediscovery` policy can become:
"ForAllValues:StringLike": {
"route53:ChangeResourceRecordSetsNormalizedRecordNames": ["*example.com", "marketing.example.com", "*-beta.example.com"],
"route53:ChangeResourceRecordSetsActions": ["CREATE", "UPSERT", "DELETE"],
"route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "MX"]
"route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "CNAME", "MX", "TXT"]
}
}
},

2
docs/tutorials/aws.md
View File

@ -59,7 +59,7 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
"ForAllValues:StringLike": {
"route53:ChangeResourceRecordSetsNormalizedRecordNames": ["*example.com", "marketing.example.com", "*-beta.example.com"],
"route53:ChangeResourceRecordSetsActions": ["CREATE", "UPSERT", "DELETE"],
"route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "MX"]
"route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "CNAME", "MX", "TXT"]
}
}
},