From cfb0e6d85381ed805ec02969b255322a138c790b Mon Sep 17 00:00:00 2001
From: Owen Jacobson <owen@grimoire.ca>
Date: Tue, 31 Oct 2023 22:34:22 -0400
Subject: Only manage the actual DNS entry named by the `dns-name` argument.

The original version of this program (written for another project) laid claim to the entire subtree under the target DNS name, as part of a broader feature of adding both per-instance hostnames and a per-ASG hostname with multiple records. This program doesn't do that; however, I forgot to remove this behaviour when porting the code.

This was caught in production, of course, though without any damage. An attempt to manage `grimoire.ca` failed because the AWS identity it ran under didn't have permission to do anything other than modify A and AAAA records.
---
 src/converge.rs |  2 +-
 src/route53.rs  | 16 +++++++++-------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/converge.rs b/src/converge.rs
index 073e9e6..a858347 100644
--- a/src/converge.rs
+++ b/src/converge.rs
@@ -47,7 +47,7 @@ where
             &live_instance_ids,
             aws_context
         ),
-        zone_suffix_recordsets(dns_name, zone_id, aws_context),
+        zone_suffix_recordsets(aws_context, zone_id, dns_name),
     )?;
 
     let remove_records = actual_records.difference(&intended_records);
diff --git a/src/route53.rs b/src/route53.rs
index 22e4126..67bccb5 100644
--- a/src/route53.rs
+++ b/src/route53.rs
@@ -66,16 +66,16 @@ where
 }
 
 pub async fn zone_suffix_recordsets<C>(
-    dns_suffix: &Name,
-    zone_id: &str,
     aws_context: &C,
+    zone_id: &str,
+    dns_name: &Name,
 ) -> Result<HashSet<Hashable<ResourceRecordSet>>>
 where
     C: Route53,
 {
     let mut suffix_records = HashSet::new();
 
-    let mut next_record_name = Some(dns_suffix.to_ascii());
+    let mut next_record_name = Some(dns_name.to_ascii());
     let mut next_record_type = None;
     let mut next_record_identifier = None;
 
@@ -97,13 +97,15 @@ where
                 zone_id
             ))?;
             let recordset_name = Name::from_str(recordset_name)?;
-            let recordset_names = suffixes(recordset_name);
-
-            if !recordset_names.iter().any(|name| name == dns_suffix) {
+            if &recordset_name != dns_name {
                 break;
             }
 
-            suffix_records.insert(recordset.clone().into());
+            if let Some(rr_type) = recordset.r#type() {
+                if [RrType::A, RrType::Aaaa].contains(rr_type) {
+                    suffix_records.insert(recordset.clone().into());
+                }
+            }
         }
 
         if records_resp.is_truncated() {
-- 
cgit v1.2.3