PublicHostedZoneProps

class aws_cdk.aws_route53.PublicHostedZoneProps(*, zone_name, add_trailing_dot=None, comment=None, query_logs_log_group_arn=None, caa_amazon=None, cross_account_zone_delegation_principal=None, cross_account_zone_delegation_role_name=None)

Bases: CommonHostedZoneProps

Construction properties for a PublicHostedZone.

Parameters:
  • zone_name (str) – The name of the domain. For resource record types that include a domain name, specify a fully qualified domain name.

  • add_trailing_dot (Optional[bool]) – Whether to add a trailing dot to the zone name. Default: true

  • comment (Optional[str]) – Any comments that you want to include about the hosted zone. Default: none

  • query_logs_log_group_arn (Optional[str]) – The Amazon Resource Name (ARN) for the log group that you want Amazon Route 53 to send query logs to. Default: disabled

  • caa_amazon (Optional[bool]) – Whether to create a CAA record to restrict certificate authorities allowed to issue certificates for this domain to Amazon only. Default: false

  • cross_account_zone_delegation_principal (Optional[IPrincipal]) – (deprecated) A principal which is trusted to assume a role for zone delegation. If supplied, this will create a Role in the same account as the Hosted Zone, which can be assumed by the CrossAccountZoneDelegationRecord to create a delegation record to a zone in a different account. Be sure to indicate the account(s) that you trust to create delegation records, using either iam.AccountPrincipal or iam.OrganizationPrincipal. If you are planning to use ``iam.ServicePrincipal``s here, be sure to include region-specific service principals for every opt-in region you are going to be delegating to; or don’t use this feature and create separate roles with appropriate permissions for every opt-in region instead. Default: - No delegation configuration

  • cross_account_zone_delegation_role_name (Optional[str]) – (deprecated) The name of the role created for cross account delegation. Default: - A role name is generated automatically

ExampleMetadata:

infused

Example:

parent_zone = route53.PublicHostedZone(self, "HostedZone",
    zone_name="someexample.com"
)
cross_account_role = iam.Role(self, "CrossAccountRole",
    # The role name must be predictable
    role_name="MyDelegationRole",
    # The other account
    assumed_by=iam.AccountPrincipal("12345678901"),
    # You can scope down this role policy to be least privileged.
    # If you want the other account to be able to manage specific records,
    # you can scope down by resource and/or normalized record names
    inline_policies={
        "cross_account_policy": iam.PolicyDocument(
            statements=[
                iam.PolicyStatement(
                    sid="ListHostedZonesByName",
                    effect=iam.Effect.ALLOW,
                    actions=["route53:ListHostedZonesByName"],
                    resources=["*"]
                ),
                iam.PolicyStatement(
                    sid="GetHostedZoneAndChangeResourceRecordSets",
                    effect=iam.Effect.ALLOW,
                    actions=["route53:GetHostedZone", "route53:ChangeResourceRecordSets"],
                    # This example assumes the RecordSet subdomain.somexample.com
                    # is contained in the HostedZone
                    resources=["arn:aws:route53:::hostedzone/HZID00000000000000000"],
                    conditions={
                        "ForAllValues:StringLike": {
                            "route53:ChangeResourceRecordSetsNormalizedRecordNames": ["subdomain.someexample.com"
                            ]
                        }
                    }
                )
            ]
        )
    }
)
parent_zone.grant_delegation(cross_account_role)

Attributes

add_trailing_dot

Whether to add a trailing dot to the zone name.

Default:

true

caa_amazon

Whether to create a CAA record to restrict certificate authorities allowed to issue certificates for this domain to Amazon only.

Default:

false

comment

Any comments that you want to include about the hosted zone.

Default:

none

cross_account_zone_delegation_principal

(deprecated) A principal which is trusted to assume a role for zone delegation.

If supplied, this will create a Role in the same account as the Hosted Zone, which can be assumed by the CrossAccountZoneDelegationRecord to create a delegation record to a zone in a different account.

Be sure to indicate the account(s) that you trust to create delegation records, using either iam.AccountPrincipal or iam.OrganizationPrincipal.

If you are planning to use ``iam.ServicePrincipal``s here, be sure to include region-specific service principals for every opt-in region you are going to be delegating to; or don’t use this feature and create separate roles with appropriate permissions for every opt-in region instead.

Default:
  • No delegation configuration

Deprecated:

Create the Role yourself and call hostedZone.grantDelegation().

Stability:

deprecated

cross_account_zone_delegation_role_name

(deprecated) The name of the role created for cross account delegation.

Default:
  • A role name is generated automatically

Deprecated:

Create the Role yourself and call hostedZone.grantDelegation().

Stability:

deprecated

query_logs_log_group_arn

The Amazon Resource Name (ARN) for the log group that you want Amazon Route 53 to send query logs to.

Default:

disabled

zone_name

The name of the domain.

For resource record types that include a domain name, specify a fully qualified domain name.