From 413015ea767dd0ad5a2f1d8acce0a6144bc8a427 Mon Sep 17 00:00:00 2001
From: Tobias Harnickell <tobias.harnickell@bedag.ch>
Date: Wed, 17 Sep 2025 19:10:11 +0200
Subject: [PATCH] docs(aws): add missing supported DNS record types in Route53
 ABAC  (#5839)

* fix(aws): warn on TXT AccessDenied due to ABAC

ExternalDNS writes TXT ownership records. ABAC missing TXT can cause 403
AccessDenied from Route 53.

* Update AWS ABAC docs to include TXT in record types
* Log entries when AccessDenied occurs and batch contains TXT
* Added unit tests for AccessDenied detection, TXT detection and logging

Refs: #5773

Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>

* fix(aws): Drop prescriptive IAM warning

* Return the first Route 53 error from `submitChanges` so operators see
  the original AWS message
* Remove IAM-guessing branch while keeping split-and-retry submission
* Tidy error test and fall back to `provider.NewSoftErrorf` when no AWS
  error was captured
* Add tests for error return on failures upon zone submission

Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>

* fix(aws): Remove TXT-specific error handling

Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>

* fix(aws): Remove Route53 final error message

Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>

* fix(aws): Remove unused import of `error`

Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>

---------

Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>
---
 docs/tutorials/aws-sd.md | 2 +-
 docs/tutorials/aws.md    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/tutorials/aws-sd.md b/docs/tutorials/aws-sd.md
index f68a9675a..a454b9bbe 100644
--- a/docs/tutorials/aws-sd.md
+++ b/docs/tutorials/aws-sd.md
@@ -74,7 +74,7 @@ Using tags, your `servicediscovery` policy can become:
         "ForAllValues:StringLike": {
           "route53:ChangeResourceRecordSetsNormalizedRecordNames": ["*example.com", "marketing.example.com", "*-beta.example.com"],
           "route53:ChangeResourceRecordSetsActions": ["CREATE", "UPSERT", "DELETE"],
-          "route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "MX"]
+          "route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "CNAME", "MX", "TXT"]
         }
       }
     },
diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md
index b1479ade3..8b0746988 100644
--- a/docs/tutorials/aws.md
+++ b/docs/tutorials/aws.md
@@ -59,7 +59,7 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
         "ForAllValues:StringLike": {
           "route53:ChangeResourceRecordSetsNormalizedRecordNames": ["*example.com", "marketing.example.com", "*-beta.example.com"],
           "route53:ChangeResourceRecordSetsActions": ["CREATE", "UPSERT", "DELETE"],
-          "route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "MX"]
+          "route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "CNAME", "MX", "TXT"]
         }
       }
     },