-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(cloudfront): verify acm certificate is in us-east-1 #3485
feat(cloudfront): verify acm certificate is in us-east-1 #3485
Conversation
@eladb Thanks for the verification, but do you have an insight into this issue? |
const certificate = new certificatemanager.DnsValidatedCertificate(stack, 'TestCertificate', { | ||
domainName: 'www.example.com', | ||
hostedZone, | ||
region: 'eu-west-3', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I should be able to resolve that region, right? It's currently resolved as ${Token[Default.Arn.132]}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DnsValidatedCertificate.certificateArn
returns an Fn::GetAtt token which is only resolved at deploy time. This is why you are seeing a token. The only situation in which you will be able to resolve to a concrete region value is if you using fromCertificateArn
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes this PR kind of useless though. The main use was to not request an unusable certificate. If we already have the ARN for it, it's too late.
Would you be open to deprecating acmCertRef
for a acmCert: Certificate
property, to be able to access the region
property?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just noticed that this will cause a typing issue. acmCertRef
is currently non-optional in the AliasConfiguration
. If I put them both in AliasConfiguration
, I will have to make them optional.
Are you also okay with deprecating aliasConfiguration
instead, and allowing to keep both acmCertRef
and acmCert
required? If yes, I'd a appreciate a suggestion for the new alias
property. 👍
@eladb Any insight into this issue? |
…hrow-invalid-acm-region # Conflicts: # packages/@aws-cdk/aws-cloudfront/package.json
* deprecate acmCertArn -> acmCert * deprecate aliasConfiguration -> aliasConfig
@eladb I finally got this feature where I wanted it to be, but this PR is getting fairly big for a minor UX inconvenience. I'd be fine with aborting it |
Hey, I am going on holiday until 8/26 @rix0rrr can you please follow up on this? My general approach is the the cloudfront library needs an overhaul anyway. It's one of the only libraries we haven't refactored to adhere to our API standards. |
Got it. And enjoy your holidays Elad! |
if (props.aliasConfig) { | ||
const {acmCert} = props.aliasConfig; | ||
|
||
const isDnsCert = (cert: certificatemanager.ICertificate): cert is certificatemanager.DnsValidatedCertificate => |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather have some static helper functions in the ACM module to get the region from an ICertificate
. One module grubbing around in the internals of another one without a well-defined public interface to do so seems like a bad idea.
The simplest would be:
class CertificateUtils {
public static certificateRegion(cert: ICertificate): string | undefined {
// Put all that logic here
}
}
/** | ||
* AWS Certificate Manager (ACM) certificate. | ||
*/ | ||
readonly acmCert: certificatemanager.ICertificate; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No abbreviations. acmCertificate
. I think we might even just do certificate
, no?
|
Pull Request Checklist
|
1 similar comment
Pull Request Checklist
|
Codebuild (Continuous Integration) build failed for current commits. Please check log and resolve before PR is merged. |
1 similar comment
Codebuild (Continuous Integration) build failed for current commits. Please check log and resolve before PR is merged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See previous comments.
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
Looks like interest in this PR has died out. To clean up our queue, I'm going to close it. Feel free to reopen if someone wants to revive it. |
Any update about this? I am using const certificate = new certificateManager.DnsValidatedCertificate(this, 'Certificate', {
domainName: domain,
hostedZone: zone,
region: region,
}); with eu-west-1 as region and it's failing certificate validation |
@aletheia That sounds unrelated to this PR. This is just a user experience improvement, preventing the deployment of a stack containing a CloudFront distribution with a certificate that isn't located in Feel free to open another issue with additional details if you can't figure it out though! |
The issue already exists and it's open since Jul 29th #3464 BTW this PR could have saved me almost 2 hrs before I figured out attribute "region" is not honored |
What do you mean the |
If I specify a different region than us-east-1 certificate validation stay
stuck until stack timeout
Il giorno mer 25 set 2019 alle 15:54 Rico Huijbers <notifications@github.com>
ha scritto:
What do you mean the region attribute is not being honored?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3485?email_source=notifications&email_token=AAE7T7ZNTGEGNIG62MZFFG3QLNUQBA5CNFSM4IH7H2AKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7R7VAI#issuecomment-535034497>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAE7T72TOZEOGFWQ5ZCZ2J3QLNUQBANCNFSM4IH7H2AA>
.
--
Luca Bianchi
Mobile: +39 328 6867731
Mail: bianchi.luca@gmail.com
|
Fixes #3464
Please read the contribution guidelines and follow the pull-request checklist.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license