docs(aws): add missing supported DNS record types in Route53 ABAC (#5839)

TobyTheHutt · web-flow · commit 413015ea767d · 2025-09-17T10:10:11.000-07:00
* fix(aws): warn on TXT AccessDenied due to ABAC ExternalDNS writes TXT ownership records. ABAC missing TXT can cause 403 AccessDenied from Route 53. * Update AWS ABAC docs to include TXT in record types * Log entries when AccessDenied occurs and batch contains TXT * Added unit tests for AccessDenied detection, TXT detection and logging Refs: #5773 Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch> * fix(aws): Drop prescriptive IAM warning * Return the first Route 53 error from `submitChanges` so operators see the original AWS message * Remove IAM-guessing branch while keeping split-and-retry submission * Tidy error test and fall back to `provider.NewSoftErrorf` when no AWS error was captured * Add tests for error return on failures upon zone submission Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch> * fix(aws): Remove TXT-specific error handling Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch> * fix(aws): Remove Route53 final error message Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch> * fix(aws): Remove unused import of `error` Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch> --------- Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>
diff --git a/docs/tutorials/aws-sd.md b/docs/tutorials/aws-sd.md
@@ -74,7 +74,7 @@ Using tags, your `servicediscovery` policy can become:
         "ForAllValues:StringLike": {
           "route53:ChangeResourceRecordSetsNormalizedRecordNames": ["*example.com", "marketing.example.com", "*-beta.example.com"],
           "route53:ChangeResourceRecordSetsActions": ["CREATE", "UPSERT", "DELETE"],
-          "route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "MX"]
+          "route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "CNAME", "MX", "TXT"]
         }
       }
     },
diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md
@@ -59,7 +59,7 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
         "ForAllValues:StringLike": {
           "route53:ChangeResourceRecordSetsNormalizedRecordNames": ["*example.com", "marketing.example.com", "*-beta.example.com"],
           "route53:ChangeResourceRecordSetsActions": ["CREATE", "UPSERT", "DELETE"],
-          "route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "MX"]
+          "route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "CNAME", "MX", "TXT"]
         }
       }
     },

Original file line number	Diff line number	Diff line change
@@ -74,7 +74,7 @@ Using tags, your `servicediscovery` policy can become:
`74`	`74`	`"ForAllValues:StringLike": {`
`75`	`75`	`"route53:ChangeResourceRecordSetsNormalizedRecordNames": ["example.com", "marketing.example.com", "-beta.example.com"],`
`76`	`76`	`"route53:ChangeResourceRecordSetsActions": ["CREATE", "UPSERT", "DELETE"],`
`77`		`- "route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "MX"]`
	`77`	`+ "route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "CNAME", "MX", "TXT"]`
`78`	`78`	`}`
`79`	`79`	`}`
`80`	`80`	`},`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ You can use Attribute-based access control(ABAC) for advanced deployments.`
`59`	`59`	`"ForAllValues:StringLike": {`
`60`	`60`	`"route53:ChangeResourceRecordSetsNormalizedRecordNames": ["example.com", "marketing.example.com", "-beta.example.com"],`
`61`	`61`	`"route53:ChangeResourceRecordSetsActions": ["CREATE", "UPSERT", "DELETE"],`
`62`		`- "route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "MX"]`
	`62`	`+ "route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA", "CNAME", "MX", "TXT"]`
`63`	`63`	`}`
`64`	`64`	`}`
`65`	`65`	`},`