How to add static entries to a AWS Route53 Auto Naming hosted zone?

Question

I am running some of our backend REST services with Amazon ECS (Docker) and they change their public IP on every restart.

I'm using AWS Route 53 Auto Naming (aka servicediscovery) to register new A records on the DNS when a new backend instance spins up.

Everything works fine except the backends are using HTTP. I wish to secure them with HTTPS and I was looking to Let's Encrypt/Certbot and here comes the issue.

I wish to obtain a wildcard certificate for all names in the hosted zone, let's say *.aws.example.com, but I need to add a verification TEXT record on the Hosted Zone, and it is not possible.

The error message I get is:

The resource hostedzone/Z1R8P3NTRAIWDS can only be managed through servicediscovery.amazonaws.com (arn:aws:servicediscovery:eu-west-1:263810592360:namespace/ns-cuqs46hqusim4jih)

How can I add some static records to my Hosted Zone managed by service discovery?

Maybe this question is better off to serverfault, can anyone move it there or should I repost it? — Federico Bonelli, Aug 17 '18 at 18:11

Federico Bonelli · Accepted Answer · 2018-08-29T14:11:56.277

I finally managed to resolve my issue using the procedure on section "Using Service Discovery with an Existing Hosted Zone" from documentation page: https://docs.aws.amazon.com/Route53/latest/APIReference/overview-service-discovery.html

Basically:

create with autodiscovery a namespace unrelated from the previously existant public Route53 hosted zone
link the autodiscovery record into the public Route53 hosted zone with the following aws-cli command aws route53 change-resource-record-sets --hosted-zone-id existing-hosted-zone-id --change-batch file://path-to-text-file

The text file is composed this way:

{
  "Changes": [
    {
      "Action": "UPSERT", 
      "ResourceRecordSet": {
        "Type":"A", 
        "Name":"record-name-in-existing-hosted-zone", 
        "AliasTarget": {
          "DNSName":"record-name-in-new-hosted-zone", 
          "HostedZoneId":"service-discovery-hosted-zone-id", 
          "EvaluateTargetHealth":true
        }
      }
    }
  ]
}

Does this automatically keep updated as new records are added to the new hosted zone? or do you need to rerun this command each time the new hosted zone is updated? — rustysys-dev, Feb 14 '19 at 12:12

score 0 · Answer 2 · answered Aug 18 '18 at 02:25

0

You might look at using an Elastic Load Balancer in front of your and using Amazon’s certificate process. You will pay a little more for the ELB, but you can use the ELB endpoint in Route53 from then on and not have to worry about the ECS IP address.

Otherwise you may need to turn off auto discovery, or generate a cert from a provider that will approve based on an email to the admin on file.

answered Aug 18 '18 at 02:25

user935020

1

I could use the ELB but it seems to me like overshooting since I just need 1 instance at a time and the ELB alone costs more than all the rest of the infrastructure put together. – Federico Bonelli Aug 18 '18 at 06:56

How to add static entries to a AWS Route53 Auto Naming hosted zone?

2 Answers2