Dstack-TEE
diff --git a/‎custom-domain/dstack-ingress/CLOUDFORMATION_EXAMPLE.yaml‎
Lines changed: 86 additions & 0 deletions b/‎custom-domain/dstack-ingress/CLOUDFORMATION_EXAMPLE.yaml‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎custom-domain/dstack-ingress/DNS_PROVIDERS.md‎
Lines changed: 64 additions & 1 deletion b/‎custom-domain/dstack-ingress/DNS_PROVIDERS.md‎
Lines changed: 64 additions & 1 deletion
diff --git a/‎custom-domain/dstack-ingress/scripts/dns_providers/factory.py‎
Lines changed: 3 additions & 1 deletion b/‎custom-domain/dstack-ingress/scripts/dns_providers/factory.py‎
Lines changed: 3 additions & 1 deletion
@@ -0,0 +1,86 @@
+AWSTemplateFormatVersion: '2010-09-09'
+
+Parameters:
+  HostedZoneId:
+    Type: String
+    Default: 
+    Description: Route53 Hosted Zone ID
+  UserName:
+    Type: String
+    Description: IAM user that can only assume the Route53 role
+
+Resources:
+  User:
+    Type: AWS::IAM::User
+    Properties:
+      UserName: !Ref UserName
+
+  AccessKey:
+    Type: AWS::IAM::AccessKey
+    Properties:
+      UserName: !Ref User
+      Status: Active
+
+  Route53Role:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Sub '${UserName}-route53-role'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            # The *account root* as trusted principal.
+            # This avoids invalid-principal errors while remaining safe,
+            # because the USER policy enforces the actual restriction.
+            Principal:
+              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: Route53DnsChallenges
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Sid: AllowDnsChallengeChanges
+                Effect: Allow
+                Action:
+                  - route53:ChangeResourceRecordSets
+                Resource: !Sub arn:aws:route53:::hostedzone/${HostedZoneId}
+              - Sid: AllowListingForDnsChallenge
+                Effect: Allow
+                Action:
+                  - route53:ListHostedZonesByName
+                  - route53:ListHostedZones
+                  - route53:GetChange
+                  - route53:ListResourceRecordSets
+                Resource: "*"
+
+  UserAssumeRolePolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: !Sub '${UserName}-assume-route53-role'
+      Users:
+        - !Ref User
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - sts:AssumeRole
+            Resource: !Sub arn:aws:iam::${AWS::AccountId}:role/${UserName}-route53-role
+
+Outputs:
+  AWSAccessKeyId:
+    Description: Access key ID for the IAM user
+    Value: !Ref AccessKey
+
+  AWSSecretAccessKey:
+    Description: Secret access key for the IAM user
+    Value: !GetAtt AccessKey.SecretAccessKey
+
+  AWSUserArn:
+    Description: IAM User ARN
+    Value: !Sub arn:aws:iam::${AWS::AccountId}:user/${UserName}
+
+  Route53RoleArn:
+    Description: ARN of the Route53 role used by Certbot
+    Value: !Sub arn:aws:iam::${AWS::AccountId}:role/${UserName}-route53-role
@@ -7,6 +7,7 @@ This guide explains how to configure dstack-ingress to work with different DNS p
 - **Cloudflare** - The original and default provider
 - **Linode DNS** - For Linode-hosted domains
 - **Namecheap** - For Namecheap-hosted domains
+- **Route53** - For AWS hosted domains
 
 ## Environment Variables
 
@@ -73,6 +74,40 @@ NAMECHEAP_CLIENT_IP=your-client-ip
 - Namecheap doesn't support CAA records through their API currently
 - The certbot plugin uses the format `certbot-dns-namecheap` package
 
+### Route53
+
+```bash
+DNS_PROVIDER=route53
+AWS_ACCESS_KEY_ID=service-account-key-that-can-assume-role
+AWS_SECRET_ACCESS_KEY=service-account-secret-that-can-assume-role
+AWS_ROLE_ARN=role-that-can-mod-route53
+AWS_REGION=your-closest-region
+```
+
+**Required Permissions:**
+```yaml
+PolicyDocument:
+  Version: '2012-10-17'
+  Statement:
+    - Sid: AllowDnsChallengeChanges
+      Effect: Allow
+      Action:
+        - route53:ChangeResourceRecordSets
+      Resource: !Sub arn:aws:route53:::hostedzone/${HostedZoneId}
+    - Sid: AllowListingForDnsChallenge
+      Effect: Allow
+      Action:
+        - route53:ListHostedZonesByName
+        - route53:ListHostedZones
+        - route53:GetChange
+        - route53:ListResourceRecordSets
+```
+
+**Important Notes for Route53:**
+- The certbot plugin uses the format `certbot-dns-route53` package
+- CAA will merge AWS & Let's Encrypt CA domains to existing records if they exist
+- It is essential that the AWS service account used can only assume the limited role. See cloudformation example.
+
 ## Docker Compose Examples
 
 ### Linode Example
@@ -127,6 +162,34 @@ services:
       - ./evidences:/evidences
 ```
 
+### Route53 Example
+
+```yaml
+services:
+  dstack-ingress:
+    image: dstack-ingress:latest
+    restart: unless-stopped
+    volumes:
+    - /var/run/dstack.sock:/var/run/dstack.sock
+    - cert-data:/etc/letsencrypt
+    ports:
+    - 443:443
+    environment:
+      DNS_PROVIDER: route53
+      DOMAIN: app.example.com
+      GATEWAY_DOMAIN: _.${DSTACK_GATEWAY_DOMAIN}
+
+      AWS_REGION: ${AWS_REGION}
+      AWS_ROLE_ARN: ${AWS_ROLE_ARN}
+      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
+      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
+
+      CERTBOT_EMAIL: ${CERTBOT_EMAIL}
+      TARGET_ENDPOINT: http://backend:8080
+      SET_CAA: 'true'
+
+```
+
 ## Migration from Cloudflare-only Setup
 
 If you're currently using the Cloudflare-only version:
@@ -166,4 +229,4 @@ Ensure your API tokens/credentials have the necessary permissions listed above f
 1. Go to https://ap.www.namecheap.com/settings/tools/api-access/
 2. Enable API access for your account
 3. Note down your API key and username
-4. Make sure your IP address is whitelisted in the API settings
+4. Make sure your IP address is whitelisted in the API settings
@@ -6,6 +6,7 @@
 from .cloudflare import CloudflareDNSProvider
 from .linode import LinodeDNSProvider
 from .namecheap import NamecheapDNSProvider
+from .route53 import Route53DNSProvider
 
 
 class DNSProviderFactory:
@@ -15,6 +16,7 @@ class DNSProviderFactory:
         "cloudflare": CloudflareDNSProvider,
         "linode": LinodeDNSProvider,
         "namecheap": NamecheapDNSProvider,
+        "route53": Route53DNSProvider,
     }
 
     @classmethod
@@ -67,4 +69,4 @@ def _detect_provider_type(cls) -> str:
     @classmethod
     def get_supported_providers(cls) -> list:
         """Get list of supported DNS providers."""
-        return list(cls.PROVIDERS.keys())
+        return list(cls.PROVIDERS.keys())