Comments (12)
I really can't see how this could possibly be described as 'working as intended'.
I have a CDK stack that provisions a Route53 hosted zone as a subdomain which is used solely routing to the stacks resources. When I create certificates, I use DNS validation against my newly created hosted zone.
This all works fine on creation, but rollback and destroy are BROKEN!
The stack can never roll-back correctly because the route53 hosted zone can never be deleted. Instead, the stack ends up in a broken state that requires manual intervention.
I think that what I am describing is a pretty standard way to use hosted zones through route53. As things stand it feels like the only options are:
- Manually setup and teardown hosted zones (i.e. they are just not supported by CDK/CloudFormation)
- Accept that all automated rollbacks/destroys won't work (i.e. essentially that CDK does not support CI/CD)
from cloudformation-dns-certificate.
First, thank you for investigating that issue.
Is this required for your use case?
From a maintenance point of view, it would be desirable to avoid piling up deprecated CNAME records if there are no matching certificates left. It would be interesting to understand under which circumstances the same validation record is used for multiple certificates in ACM. As you created an duplicate of an existing certificate, it seems somehow understandable that they use the same validation record. However, I was not able to reproduce that with certs for different hosts/subdomains. Do you have additional insights here? If only multiple certs for the same domain are affected, one could image a check for the existence of other certs with the same subject, and if there are none delete the validation record as well?
Edit: Checked the AWS documentation.
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html
-
Structure of generated validation record:
The values are long random strings generated by ACM
, so it's not a hash or something one can derive programmatically. -
This seems to describe the behavior you observed:
You can request additional ACM Certificates for your FQDN for as long as the DNS record remains in place. That is, you can create multiple certificates that have the same domain name. You do not need to get a new CNAME record.
-
Another case would be this particular example, where the validation record is the same for two "different" domains:
...the random string created by ACM for the wildcard name *.example.com is the same as that created for the base domain name example.com.
Assuming these two are the only exceptions from the rule, maybe it's possible to consider an improvement covering them, and otherwise delete the validation record.
Anyway, thanks for your time and the effort you put it here.
from cloudformation-dns-certificate.
Hi, thanks for creating an issue.
This is expected behaviour. I've observed ACM use the same validation record for identical but distinct Certificates. This makes it difficult to delete the records along with the certificate, as I can't be sure they aren't being used by another Certificate.
I'll leave this issue open while I check this is still the case.
from cloudformation-dns-certificate.
I've just created a duplicate of an existing certificate using this custom resource, and ACM used the same validation record.
If the resource deleted the record when the certificate was deleted, the remaining certificate would fail to renew. I don't believe this behaviour can be safely implemented π¬
Is this required for your use case?
from cloudformation-dns-certificate.
I'm going to think about this a bit more :)
from cloudformation-dns-certificate.
Thanks for this info - probably worthy of an option (off by default), for CF stacks for which it's known they are the exclusive thing managing the domain/SSL.
from cloudformation-dns-certificate.
the issue we've been hitting with this is that if you re-create a stack on the same domain and ACM chooses the same validator record, the step fails. so an alternative would be to ignore duplicate records.
from cloudformation-dns-certificate.
Hi @gfodor, re-creating the same certificate should not fail and is a defect. Can you create another issue to describe what you've seen?
from cloudformation-dns-certificate.
from cloudformation-dns-certificate.
It's kind of hilarious - I opened a ticket with AWS about this feature. And they sent me a link to this GitHub repository:
I was also able to get an open GitHUb issue where the users have discussed about different use cases where the automatic deletion of the DNS validation records will be an issue. Please check and let me know if you have any questions.
For now, I am going to resolve this case as the time frame is not guaranteed and usually will not be shared with the AWS Premium Support teams.
What in the world is this repository and issue going to do for me - magically fix the internal AWS infrastructure? Is this even an AWS codebase?
from cloudformation-dns-certificate.
@jeff1evesque I can confirm this is not an AWS codebase π.
This cloudformation resource pre-dates the ability for the AWS::CertificateManager::Certificate
to do DNS validation.
It is still useful for cross-region certificates and cross-account validation, but won't help with removing unused validation records.
from cloudformation-dns-certificate.
Just as an update the functionality requested in this issue is actually available using acm.DnsValidatedCertificate
via the cleanup_route53_records = True
option. But not on the standard Certificate
construct.
However, I understand that DnsValidatedCertificate
is being deprecated in favour of Certificate
, despite the latter not supporting the cleanup_route53_records
or region
options, making it essentially useless...
from cloudformation-dns-certificate.
Related Issues (15)
- Is there a way to retrieve the ARN of the created certificate? HOT 1
- Timeout Issues HOT 2
- New CF CertificateManager updates
- Throttling exception when a large number of certificates exists HOT 9
- Race condition when creating/updating a large number of certificates HOT 1
- DomainValidationOptions optional? HOT 3
- SubjectAlternativeNames not working properly HOT 13
- Errors while provisioning certificate with SAN values HOT 1
- Warnings from cfn-lint about AWS partitions HOT 3
- Using SubjectAlternativeNames causes unexpected behaviour HOT 5
- Cross-Account Usage Failing HOT 5
- First describe_certificate call does not return DomainValidationOptions HOT 4
- DeprecationWarning botocore.vendored.requests HOT 1
- Ability to skip recordset creation for some domains HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudformation-dns-certificate.