If you have an application that is dynamically tearing down ELB's and creating new ELB's with instances in its pool, you will be in a situation where Route53 recordsets have be frequently updated as well. To manually update the A records of newly created ELB's can be tedious. Instead, you can create a restricted IAM user or group policy that allows for "ChangeResourceRecordSets" privilege such as below:-
**************
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetHostedZone"
"route53:ChangeResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/<ZONE_ID>"
},
{
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:ListResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/*"
},
{
"Effect": "Allow",
"Action": [
"route53:GetChange"
],
"Resource": "arn:aws:route53:::change/*"
}
]
}
**************
Once the above policy is set, you can use AWS CLI as below to CREATE, DELETE, UPSERT A records on Route 53:-
***************
$aws route53 change-resource-record-sets --hosted-zone-id <ZONE_ID> --change-batch file://opt/sampleupsert.json --profile <domain>
{
"ChangeInfo": {
"Status": "PENDING",
"Comment": "string",
"SubmittedAt": "2014-09-20T12:40:49.159Z",
"Id": "/change/CNZHKUS1ZF9Z9"
}
}
***************
Once the change is submitted, you can query for the status till it shows "INSYNC" as below:-
***************
$aws route53 get-change --id /change/CNZHKUS1ZF9Z9 --profile <domain>
{
"ChangeInfo": {
"Status": "INSYNC",
"Comment": "string",
"SubmittedAt": "2014-09-20T12:40:49.159Z",
"Id": "/change/CNZHKUS1ZF9Z9"
}
}
***************
and the sampleupsert.json file which is passed as argument to --change-batch parameter in "change-resource-record-sets" method of AWS CLI, looks like
***************
{
"Comment": "string",
"Changes": [
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "<domain>",
"Type": "A",
"AliasTarget": {
"HostedZoneId": "<ZONE_ID>",
"DNSName": "<DNS_NAME of ELB>",
"EvaluateTargetHealth": false
}
}
}
]
}
***************
The above can also be done using Boto library and simple python code as below:-
***************
import boto.route53
conn = boto.route53.connect_to_region('us-east-1')
from boto.route53.record import ResourceRecordSets
zone_id = "<ZONE_ID>"
changes = ResourceRecordSets(conn, zone_id)
change = changes.add_change("UPSERT", '<domain>', "A")
change.set_alias("<ZONE_ID_2>", "<ELB A record>")
changes.commit()
***************
If ZONE_ID is not known, then you have to modify the above policy to allow listing of zones and then iterate through the code as shown in this blog - managing-amazon-route-53-dns-with-boto
**************
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetHostedZone"
"route53:ChangeResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/<ZONE_ID>"
},
{
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:ListResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/*"
},
{
"Effect": "Allow",
"Action": [
"route53:GetChange"
],
"Resource": "arn:aws:route53:::change/*"
}
]
}
**************
Once the above policy is set, you can use AWS CLI as below to CREATE, DELETE, UPSERT A records on Route 53:-
***************
$aws route53 change-resource-record-sets --hosted-zone-id <ZONE_ID> --change-batch file://opt/sampleupsert.json --profile <domain>
{
"ChangeInfo": {
"Status": "PENDING",
"Comment": "string",
"SubmittedAt": "2014-09-20T12:40:49.159Z",
"Id": "/change/CNZHKUS1ZF9Z9"
}
}
***************
Once the change is submitted, you can query for the status till it shows "INSYNC" as below:-
***************
$aws route53 get-change --id /change/CNZHKUS1ZF9Z9 --profile <domain>
{
"ChangeInfo": {
"Status": "INSYNC",
"Comment": "string",
"SubmittedAt": "2014-09-20T12:40:49.159Z",
"Id": "/change/CNZHKUS1ZF9Z9"
}
}
***************
and the sampleupsert.json file which is passed as argument to --change-batch parameter in "change-resource-record-sets" method of AWS CLI, looks like
***************
{
"Comment": "string",
"Changes": [
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "<domain>",
"Type": "A",
"AliasTarget": {
"HostedZoneId": "<ZONE_ID>",
"DNSName": "<DNS_NAME of ELB>",
"EvaluateTargetHealth": false
}
}
}
]
}
***************
The above can also be done using Boto library and simple python code as below:-
***************
import boto.route53
conn = boto.route53.connect_to_region('us-east-1')
from boto.route53.record import ResourceRecordSets
zone_id = "<ZONE_ID>"
changes = ResourceRecordSets(conn, zone_id)
change = changes.add_change("UPSERT", '<domain>', "A")
change.set_alias("<ZONE_ID_2>", "<ELB A record>")
changes.commit()
***************
If ZONE_ID is not known, then you have to modify the above policy to allow listing of zones and then iterate through the code as shown in this blog - managing-amazon-route-53-dns-with-boto
The above program also useful to us keep update your information AWS Online Training
ReplyDelete