doublecompile/stack.ts

## stack.ts
import { Construct } from "constructs";
import { Stack, StackProps, CfnOutput } from "aws-cdk-lib";
import {
  IRole,
  Role,
  PolicyStatement,
  AnyPrincipal,
  ManagedPolicy,
  Effect,
  PrincipalWithConditions,
} from "aws-cdk-lib/aws-iam";
import { HostedZone, IHostedZone } from "aws-cdk-lib/aws-route53";

/**
 * Constructor properties for the DnsStack.
 */
export interface DnsStackProps extends StackProps {
  /**
   * The AWS Organizations ID to permit access.
   */
  readonly organizationId: string;
  /**
   * The actual domain to use e.g. hosted.example.com.
   */
  readonly zoneName: string;
}

/**
 * The Dns stack.
 */
export class DnsStack extends Stack {
  /**
   * The hosted zone.
   */
  public readonly hostedZone: IHostedZone;
  /**
   * The role granting write access to the hosted zone.
   */
  public readonly role: IRole;

  constructor(scope: Construct, id: string, props: DnsStackProps) {
    super(scope, id, { ...props });

    const zoneName = props.zoneName;

    const hostedZone = new HostedZone(this, "Zone", {
      zoneName,
      comment: `Contains DNS records for ${zoneName}`,
    });
    this.hostedZone = hostedZone;

    const managedPolicy = new ManagedPolicy(this, "Policy", {
      description: `Permits adding delegate records to the ${zoneName} hosted zone`,
      statements: [
        new PolicyStatement({
          effect: Effect.ALLOW,
          actions: ["route53:ChangeResourceRecordSets"],
          resources: [hostedZone.hostedZoneArn],
        }),
        new PolicyStatement({
          effect: Effect.ALLOW,
          actions: ["route53:ListHostedZonesByName"],
          resources: ["*"],
        }),
      ],
    });

    const role = new Role(this, "Role", {
      description:
        "A role to be assumed by the CrossAccountZoneDelegationRecord CDK construct",
      assumedBy: new PrincipalWithConditions(new AnyPrincipal(), {
        StringEquals: {
          "aws:PrincipalOrgID": props.organizationId,
        },
      }),
      managedPolicies: [managedPolicy],
    });

    this.role = role;

    new CfnOutput(this, "HostedZoneArn", {
      value: this.hostedZone.hostedZoneArn,
    });
    new CfnOutput(this, "DelegationRoleArn", {
      value: this.role.roleArn,
    });
  }
}
	import { Construct } from "constructs";
	import { Stack, StackProps, CfnOutput } from "aws-cdk-lib";
	import {
	IRole,
	Role,
	PolicyStatement,
	AnyPrincipal,
	ManagedPolicy,
	Effect,
	PrincipalWithConditions,
	} from "aws-cdk-lib/aws-iam";
	import { HostedZone, IHostedZone } from "aws-cdk-lib/aws-route53";

	/**
	* Constructor properties for the DnsStack.
	*/
	export interface DnsStackProps extends StackProps {
	/**
	* The AWS Organizations ID to permit access.
	*/
	readonly organizationId: string;
	/**
	* The actual domain to use e.g. hosted.example.com.
	*/
	readonly zoneName: string;
	}

	/**
	* The Dns stack.
	*/
	export class DnsStack extends Stack {
	/**
	* The hosted zone.
	*/
	public readonly hostedZone: IHostedZone;
	/**
	* The role granting write access to the hosted zone.
	*/
	public readonly role: IRole;

	constructor(scope: Construct, id: string, props: DnsStackProps) {
	super(scope, id, { ...props });

	const zoneName = props.zoneName;

	const hostedZone = new HostedZone(this, "Zone", {
	zoneName,
	comment: `Contains DNS records for ${zoneName}`,
	});
	this.hostedZone = hostedZone;

	const managedPolicy = new ManagedPolicy(this, "Policy", {
	description: `Permits adding delegate records to the ${zoneName} hosted zone`,
	statements: [
	new PolicyStatement({
	effect: Effect.ALLOW,
	actions: ["route53:ChangeResourceRecordSets"],
	resources: [hostedZone.hostedZoneArn],
	}),
	new PolicyStatement({
	effect: Effect.ALLOW,
	actions: ["route53:ListHostedZonesByName"],
	resources: ["*"],
	}),
	],
	});

	const role = new Role(this, "Role", {
	description:
	"A role to be assumed by the CrossAccountZoneDelegationRecord CDK construct",
	assumedBy: new PrincipalWithConditions(new AnyPrincipal(), {
	StringEquals: {
	"aws:PrincipalOrgID": props.organizationId,
	},
	}),
	managedPolicies: [managedPolicy],
	});

	this.role = role;

	new CfnOutput(this, "HostedZoneArn", {
	value: this.hostedZone.hostedZoneArn,
	});
	new CfnOutput(this, "DelegationRoleArn", {
	value: this.role.roleArn,
	});
	}
	}