AWS | Cloud | DevSecOps | Infrastructure | Software Development
Cross account AWS resource access using Terraform 
Mike Woudenberg 06 May, 2022
Share 
I recently created a few blog post on how you can build, deploy and host an application on AWS. This blog post is all about handling DNS records in a cross account setup. You might think AWS got you covered, but the sad reality is that they don’t. (when dealing with cross account use cases.)
For example, if you have a domain called example.com. You will need to create the hosted zone in an AWS Account. Then from the context of that account you are able to manage the records through infrastructure as code. This will work until your using more than 1 AWS Account.
The problem
Because the Route53 hosted zone lives within a specific account. You cannot add records to the hosted zone from another account. So there are 3 options how you can solve this problem:
- Option 1: Manage your DNS records by hand.
- Option 2: Create a Route 53 hosted zone in each AWS Account. You will need entire different domains or subdomains to get this working.
- Option 3: Use the cfn-cross-account-dns-provider
So Option 1, I like to use infrastructure as code. So this is not an option. And for Option 2 you will need, either a different domain. Or you will need to use subdomains. Using a different domain is a bit of an overkill. So when you use subdomains you will need a hosted zone in every account. A single hosted zone will cost you $ 6 a year. Let say you have 3 workloads and 4 environments per workload. Now you pay $ 72 per year only for the hosted zone. This might be an option for your use case but not for my personal pet projects.
So that brings us to option 3. In a nutshell its my solution to option 2.
My solution
I created a single AWS Account that I am using for DNS management. All the domains that I own are in this account, and are using Route53. I also deployed the cfn-cross-account-dns-provider in this account. This provider comes with a SNS Topic and all member accounts are allowed to publish to this topic.
Now you can use the resource definition in CloudFormation to create DNS records. It will use the SNS topic to invoke the Custom Cross Account DNS Provider in the AWS account that have the hosted zones. The provider will manage the records for you and will notify CloudFormation with the end result.
DNSRecord:
Type: Custom::CrossAccountDNS
Properties:
ServiceToken: !Sub arn:aws:sns:${AWS::Region}:${HostedZoneAccountId}:binxio-cfn-cross-account-dns-provider
HostedZoneId: !Ref HostedZoneId
Name: mysubdomain.example.com
Type: CNAME
Value: my-value-from-cloudfront-for-example.amazon.com
Cool, so now that we can create DNS records cross account you can do more fun stuff. For example, you also need DNS records for certificates that you request through ACM.
When you are using CloudFront the certificate needs to exist in the us-east-1 region. This will become a problem when your application lives in a different region. For this Mark van Holsteijn created the cfn-certificate-provider. With this provider you can request a certificate in the us-east-1 region. While your stack lives in the eu-west-1 region. When you combine this with the cfn-cross-account-dns-provider your certificates will be issued automatically.
Conclusion
You can manage certificates and DNS records across account and region. All you need is the cfn-certificate-provider and the cfn-cross-account-dns-provider. This will remove any manual steps from your deployment making them more predictable and reliable.
Photo by BOA.vision
by Joris Conijn
Joris has been working with the AWS cloud since 2009 and focussing on building event driven architectures. While working with the cloud from (almost) the start he has seen most of the services being launched.
Joris strongly believes in automation and infrastructure as code and is open to learn new things and experiment with them, because that is the way to learn and grow. In his spare time he enjoys running and runs a small micro brewery from his home. 
