I have an AWS CodeBuild project connected to a Github repo, and on every new commit it creates a new CloudFormation stack based on a predefined template. The full template can be found here.
The CodeBuild project has this as its build commands:
version: 0.2
phases:
install:
runtime-versions:
nodejs: 12
pre_build:
commands:
- NODE_ENV=development npm install
- npm run makeScriptsExecutable
build:
commands:
- stackName="stack-$CODEBUILD_RESOLVED_SOURCE_VERSION"
- apiGatewayName="gateway-$CODEBUILD_RESOLVED_SOURCE_VERSION"
- FUNCTION_NAME="lambda-$CODEBUILD_RESOLVED_SOURCE_VERSION"
- S3_ASSETS_BUCKET="s3-$CODEBUILD_RESOLVED_SOURCE_VERSION"
- S3_ASSETS_BUCKET_URI="s3://$S3_ASSETS_BUCKET"
- DOMAIN_NAME="$CODEBUILD_RESOLVED_SOURCE_VERSION.guacchain.com"
- BASE_NAME="prod"
- echo "S3_ASSETS_BUCKET_URI value here:"
- echo $S3_ASSETS_BUCKET_URI
- TEMPLATE_URL=https://s3-external-1.amazonaws.com/cf-templates-1npj2t2ifo384-us-east-1/2020146JeV-stack2.yaml
- aws cloudformation create-stack --stack-name $stackName --template-url $TEMPLATE_URL --parameters ParameterKey=apiGatewayStageName,ParameterValue=$BASE_NAME ParameterKey=lambdaFunctionName,ParameterValue=$FUNCTION_NAME ParameterKey=s3BucketName,ParameterValue=$S3_ASSETS_BUCKET ParameterKey=domainName,ParameterValue=$DOMAIN_NAME ParameterKey=subdomain,ParameterValue=$CODEBUILD_RESOLVED_SOURCE_VERSION --capabilities CAPABILITY_IAM
- sleep 45
- sed -i "s/COMMIT_ID/$CODEBUILD_RESOLVED_SOURCE_VERSION/g" .babelrc
- NODE_ENV=production npm run start
- NODE_ENV=production npm run build
- NODE_ENV=production npm run build:server
- NODE_ENV=production npm run deploy
The current problem I'm running into is that ever since adding a resource of type AWS::Route53::RecordSet, the stack creation fails due to: API: route53:GetHostedZone User: arn:aws:sts::XXXX:assumed-role/CodeBuildServiceRole/AWSCodeBuild-XXXX is not authorized to access this resource.
That resource currently looks like this:
domainRecordSet:
Type: 'AWS::Route53::RecordSet'
Properties:
AliasTarget:
DNSName: !GetAtt domainNameResource.DistributionDomainName
HostedZoneId: !GetAtt domainNameResource.DistributionHostedZoneId
Type: A
HostedZoneId: !GetAtt domainNameResource.DistributionHostedZoneId
Name: !Sub '${subdomain}.guacchain.com'
The subdomain variable is given to the stack as a parameter. The referenced domainNameResource does successfully get created before the stack creation fails:
Also, the CodeBuildServiceRole is applied to the CodeBuild project. I thought that giving it the AdministratorAccess, AmazonRoute53FullAccess, and AWSCloudFormationFullAccess policies would be enough, but apparently not!
On the IAM Permissions tab it shows Permissions boundary (not set).
On Trusted Relationships tab is has only one row in the "Trusted entities" list: The identity provider(s) codebuild.amazonaws.com. Also shows "There are no conditions associated with this role."
What must be done to this IAM role, the Codebuild project, or the CloudFormation stack (or some combination of those) in order to get the Route53 RecordSet resource successfully created?
aws cloudformation create-stack --stack-name $stackName --template-url=...I'll update the question to give more context - Pat NeedhamdomainRecordSetinto the hosted zone controlled by AWS, thus you get the error - your are not authorize to modify AWS owned hosted zones. - Marcin