feat(cloudfront): verify acm certificate is in us-east-1

[nmussy]

Fixes #3464

---

Please read the contribution guidelines and follow the pull-request checklist.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[nmussy]

@eladb Thanks for the verification, but do you have an insight into this issue?

[nmussy]

I should be able to resolve that region, right? It's currently resolved as ${Token[Default.Arn.132]}

[eladb]

DnsValidatedCertificate.certificateArn returns an Fn::GetAtt token which is only resolved at deploy time. This is why you are seeing a token. The only situation in which you will be able to resolve to a concrete region value is if you using fromCertificateArn.

[nmussy]

That makes this PR kind of useless though. The main use was to not request an unusable certificate. If we already have the ARN for it, it's too late.

Would you be open to deprecating acmCertRef for a acmCert: Certificate property, to be able to access the region property?

[eladb]

Yes

[nmussy]

I just noticed that this will cause a typing issue. acmCertRef is currently non-optional in the AliasConfiguration. If I put them both in AliasConfiguration, I will have to make them optional.

Are you also okay with deprecating aliasConfiguration instead, and allowing to keep both acmCertRef and acmCert required? If yes, I'd a appreciate a suggestion for the new alias property. 👍

[nmussy]

@eladb Any insight into this issue?

[nmussy]

@eladb I finally got this feature where I wanted it to be, but this PR is getting fairly big for a minor UX inconvenience. I'd be fine with aborting it

[eladb]

Hey, I am going on holiday until 8/26 @rix0rrr can you please follow up on this?

My general approach is the the cloudfront library needs an overhaul anyway. It's one of the only libraries we haven't refactored to adhere to our API standards.

[nmussy]

Got it. And enjoy your holidays Elad!

[rix0rrr]

I would rather have some static helper functions in the ACM module to get the region from an ICertificate. One module grubbing around in the internals of another one without a well-defined public interface to do so seems like a bad idea.

The simplest would be:

class CertificateUtils {
  public static certificateRegion(cert: ICertificate): string | undefined {
    // Put all that logic here
  }
}

[rix0rrr]

No abbreviations. acmCertificate. I think we might even just do certificate, no?

[rix0rrr]

@aws-cdk/aws-cloudfront: ERROR: /home/travis/build/aws/aws-cdk/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-security-policy.ts:2:1 - Import sources within a group must be alphabetized.

[mergify]

Pull Request Checklist

• Testing

• Unit test added (prefer to add a new test rather than modify existing tests)
• CLI change? Re-run/add CLI integration tests

• Documentation

• Inline docs: make sure all public APIs are documented (copy & paste from official AWS docs)
• README: update module README
• Design: for significant features, follow the design process

• Title uses the format type(scope): text

• Type: fix, feat, refactor go into CHANGELOG, chore is hidden
• Scope: name of the module without the aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
• Style: use all lower-case, do not end with a period

• Description

• Rationale: describe rationale of change and approach taken
• Issues: Indicate issues fixed via: fixes #xxx or closes #xxx
• Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>

• Sensitive Modules (requires 2 PR approvers)

• IAM document library (in @aws-cdk/aws-iam)
• EC2 security groups and ACLs (in @aws-cdk/aws-ec2)
• Grant APIs (if not based on official documentation with a reference)

[mergify]

Pull Request Checklist

• Testing

• Unit test added (prefer to add a new test rather than modify existing tests)
• CLI change? Re-run/add CLI integration tests

• Documentation

• Inline docs: make sure all public APIs are documented (copy & paste from official AWS docs)
• README: update module README
• Design: for significant features, follow the design process

• Title uses the format type(scope): text

• Type: fix, feat, refactor go into CHANGELOG, chore is hidden
• Scope: name of the module without the aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
• Style: use all lower-case, do not end with a period

• Description

• Rationale: describe rationale of change and approach taken
• Issues: Indicate issues fixed via: fixes #xxx or closes #xxx
• Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>

• Sensitive Modules (requires 2 PR approvers)

• IAM document library (in @aws-cdk/aws-iam)
• EC2 security groups and ACLs (in @aws-cdk/aws-ec2)
• Grant APIs (if not based on official documentation with a reference)

[mergify]

Codebuild (Continuous Integration) build failed for current commits. Please check log and resolve before PR is merged.

[mergify]

Codebuild (Continuous Integration) build failed for current commits. Please check log and resolve before PR is merged.

[rix0rrr]

See previous comments.

[mergify]

Thanks so much for taking the time to contribute to the AWS CDK ❤️

We will shortly assign someone to review this pull request and help get it
merged. In the meantime, please take a minute to make sure you follow this
checklist:

• PR title type(scope): text
  • type: fix, feat, refactor go into CHANGELOG, chore is hidden
  • scope: name of module without aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
  • text: use all lower-case, do not end with a period, do not include issue refs
• PR Description
  • Rationale: describe rationale of change and approach taken
  • Issues: indicate issues fixed via: fixes #xxx or closes #xxx
  • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
• Testing
  • Unit test added. Prefer to add a new test rather than modify existing tests
  • CLI or init templates change? Re-run/add CLI integration tests
• Documentation
  • README: update module README to describe new features
  • API docs: public APIs must be documented. Copy from official AWS docs when possible
  • Design: for significant features, follow design process

[rix0rrr]

Looks like interest in this PR has died out. To clean up our queue, I'm going to close it. Feel free to reopen if someone wants to revive it.

[aletheia]

Any update about this? I am using

     const certificate = new certificateManager.DnsValidatedCertificate(this, 'Certificate', {
                        domainName: domain,
                        hostedZone: zone,
                        region: region,
                    });

with eu-west-1 as region and it's failing certificate validation

[nmussy]

@aletheia That sounds unrelated to this PR. This is just a user experience improvement, preventing the deployment of a stack containing a CloudFront distribution with a certificate that isn't located in us-east-1. It wouldn't affect certificate validation.

Feel free to open another issue with additional details if you can't figure it out though!

[aletheia]

The issue already exists and it's open since Jul 29th #3464
Unfortunately still no answers on that.

BTW this PR could have saved me almost 2 hrs before I figured out attribute "region" is not honored

[rix0rrr]

What do you mean the region attribute is not being honored?

[aletheia]

If I specify a different region than us-east-1 certificate validation stay stuck until stack timeout Il giorno mer 25 set 2019 alle 15:54 Rico Huijbers <notifications@github.com> ha scritto:

What do you mean the region attribute is not being honored? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3485?email_source=notifications&email_token=AAE7T7ZNTGEGNIG62MZFFG3QLNUQBA5CNFSM4IH7H2AKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7R7VAI#issuecomment-535034497>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAE7T72TOZEOGFWQ5ZCZ2J3QLNUQBANCNFSM4IH7H2AA> .

-- Luca Bianchi Mobile: +39 328 6867731 Mail: bianchi.luca@gmail.com