我的设置有点复杂。我有根帐户AWS帐户和一堆子帐户。我希望根帐户定义一个托管区域,然后将其委托给子帐户(似乎已经可以工作),然后我需要这些域的 SSL 证书(当前处于“待验证”状态)。
根帐户定义以下内容:
export default class RootDomainStack extends Stack {
readonly hostedZone: HostedZone;
readonly role: Role;
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
this.hostedZone = new PublicHostedZone(this, 'DomainZone', {
zoneName: config.domain,
});
this.role = new Role(this, 'RootZoneOrganizationRole', {
assumedBy: new OrganizationPrincipal('o-myorgsecretid'),
roleName: config.domainRoleName,
});
this.hostedZone.grantDelegation(this.role);
}
}
子账户则定义如下
export class DomainStack extends Stack {
constructor(scope: Construct, id: string, props: DomainStackProps) {
super(scope, id, props.stack);
const hostedZone = new PublicHostedZone(this, 'zone', {
zoneName: props.useRootDomain
? config.domain
: `${props.envName}.${config.domain}`,
});
new CrossAccountZoneDelegationRecord(this, 'DelegatedZone', {
delegationRole: Role.fromRoleArn(
this,
'CrossAccountRole',
`arn:aws:iam::${config.root.account}:role/HostedZoneDelegationRole`,
),
delegatedZone: hostedZone,
parentHostedZoneName: config.domain,
});
const cert = new Certificate(this, 'Certificate', {
domainName: hostedZone.zoneName,
certificateName: `${hostedZone.zoneName}-certificate`,
validation: CertificateValidation.fromDns(hostedZone),
subjectAlternativeNames: [`www.${hostedZone.zoneName}`],
});
}
}
所以我可以看到 Route53 似乎配置得很好......至少据我所知......根帐户确实获得了子帐户部署所产生的 NS 记录。尽管如此,当我将该证书定义放在那里时,CF 部署会永远挂起,等待证书状态脱离“待验证|状态”。此时我是否必须创建自己的 CNAME 记录?我该怎么做在CDK中正确吗?