I want to implement the following pattern in AWS:
- Public Hosted Zone for
site.comin the Global Network Account - Public Hosted Zone for
prod.site.comin the Production Account - Public Hosted Zone for
dev.site.comin the Development Account.
Implementing this is no problem, it is easy enough to add the necessary NS records to the site.com hosted zone to delegate DNS management for a subdomain.
My problem is this: I have user-facing production URLs such as app.site.com. Using the above pattern, I believe I would only be able to deploy domains like app.prod.site.com on the Production account. This is obviously undesirable, so I'm wondering what the canonical way to handle this situation is.
I have considered two options:
- Allow the Production account to assume a role in the Global Networking account to add DNS records to the root hosted zone, e.g.
app.site.com. I am worried that production records will now live in a non-production account, which seems unideal. - Don't use the Global Networking account at all and instead manage the root hosted zone in the Production account. I am worried that the Development NS records will now live in the Production account, meaning that there is dependency between the two. It also means that the Production account must be configured differently than the other environments.
Thanks for any advice you can give!