Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certificate-manager: DnsValidatedCertificate ignores validations property #21040

Closed
Rabadash8820 opened this issue Jul 7, 2022 · 3 comments
Closed

certificate-manager: DnsValidatedCertificate ignores validations property #21040

Rabadash8820 opened this issue Jul 7, 2022 · 3 comments
Assignees
@comcalvi
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@Rabadash8820
Copy link
Contributor

Rabadash8820 commented Jul 7, 2022
edited
Loading

Describe the bug

We can use the CertificateProps.validation property to configure DNS validation for an ACM certificate associated with multiple Route53-hosted domains. We can also use the DnsValidatedCertificateProps.region property to provision an ACM cert with DNS validation in us-east-1 (or any region) when we deploy to a different region (e.g., for use with CloudFront Distributions). Unfortunately, there is no way to combine these benefits. There is no CertificateProps.region property, and although DnsValidatedCertificateProps extends CertificateProps, the DnsValidatedCertificateProps.validation property is apparently ignored by DnsValidatedCertificate. This latter behavior feels like a bug.

Expected Behavior

I can define a stack with a DnsValidatedCertificate construct like so:

const cert = new acm.DnsValidatedCertificate(this, "TlsCertificate", {
    domainName: "example.com",
    hostedZone: exampleComHostedZone,
    region: "us-east-1",    // Certificates used for CloudFront distributions must be in us-east-1
    subjectAlternativeNames: [
        "example.net",
        "example.org",
        "www.example.net",
        "www.example.org",
        "www.example.com"
    ],
    validation: acm.CertificateValidation.fromDnsMultiZone({
        "example.net": exampleNetHostedZone,
        "example.org": exampleOrgHostedZone,
        "www.example.net": exampleNetHostedZone,
        "www.example.org": exampleOrgHostedZone,
        "www.example.com": exampleComHostedZone,
    }),
});

then deploy this stack to any region and end up with an ACM cert in us-east-1 with the appropriate DNS validation record sets in the provided hosted zones.

Current Behavior

Synthesizing the above DnsValidatedCertificate results in a CloudFormation resource like this (values redacted with ...):

  "TlsCertificateCertificateRequestorResource26506912": {
   "Type": "AWS::CloudFormation::CustomResource",
   "Properties": {
    "ServiceToken": ...
    "DomainName": "example.net",
    "SubjectAlternativeNames": [
     "example.org",
     "www.example.net",
     "www.example.org",
     "www.example.com"
    ],
    "HostedZoneId": ...,
    "Region": "us-east-1"
   },
   "UpdateReplacePolicy": "Delete",
   "DeletionPolicy": "Delete",
   "Metadata": ...
  },

As you can see, the DomainValidationOptions property is missing. The CloudFormation custom resource created by CDK to provision the ACM cert in us-east-1 attempts to add all of the DomainValidationOptions from the DescribeCertificate API to the DnsValidatedCertificateProps.hostedZone, rather than adding domain validation options to each of the necessary hosted zones, so the CDK stack fails to deploy with a message like:

RRSet with DNS name _0a784a04c500969f20d6a737a4362d2f.www.example.org. is not permitted in zone example.net., RRSet with DNS name _4d34a1220a65c0ba96ca0c831d28d8c5.example.org. is not permitted in zone example.net.

Reproduction Steps

  1. Create a CDK app with a stack containing the above DnsValidatedCertificate construct.
  2. cdk synth this app and observe the CloudFormation resources described above.
  3. cdk deploy this app to a region other than us-east-1 and observe the error mentioned above.

Possible Solution

The DnsValidatedCertificate construct should actually use the CertificateProps.validations property. Also, the hostedZone property should be optional if validations are provided, so that no particular hosted zone is "singled out" and duplicated. The Lambda function code generated by DnsValidatedCertificate must then add DNS validation records to the appropriate hosted zones from validations and not just assume the singular hostedZone will work for them all.

Additional Information/Context

No response

CDK CLI Version

2.30.0 (build 1529743)

Framework Version

No response

Node.js Version

v16.15.1

OS

Linux (Debian bullseye)

Language

Typescript

Language Version

4.7.4

Other information

Technically running in a WSL devcontainer on Windows 11 Pro
@Rabadash8820 Rabadash8820 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 7, 2022
@github-actions github-actions bot added the @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager label Jul 7, 2022
@Rabadash8820 Rabadash8820 changed the title (module name): (short issue description) certificate-manager: DnsValidatedCertificate ignores validations Jul 7, 2022
@Rabadash8820 Rabadash8820 changed the title certificate-manager: DnsValidatedCertificate ignores validations certificate-manager: DnsValidatedCertificate ignores validations property Jul 7, 2022
@taylorb-syd
Copy link

Duplicate of #8934, #15217, and #20774. Consolidating issues into #8934.

This was referenced Aug 29, 2022
Closed
Closed
Closed
@comcalvi
Copy link
Contributor

comcalvi commented Sep 1, 2022

closing as duplicate

@comcalvi comcalvi closed this as completed Sep 1, 2022
@github-actions
Copy link

github-actions bot commented Sep 1, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@comcalvi comcalvi

Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Rabadash8820 @taylorb-syd @comcalvi