-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
certificatemanager: DnsValidatedCertificate tags with cross-stack usage fails on upgrade to 1.100 #14519
Comments
Thanks for filing the issue, and sorry for the inconvenience. Can you provide a bit more detail to help us come up with a solution? I believe this is because the modification to the Custom Resource is triggering an ID change, which in turn alters the ID of the export, but it's not clear that's the case from the images shown. Can you show the output of It also seems like the workaround (explicitly removing tags from the custom resource) should work. In your example ( It seems like the bug here is less that the custom resource is being tagged, and more that the change to the custom resources is causing the cross-stack references to break. This is a general problem we talk about in our docs (see https://docs.aws.amazon.com/cdk/api/latest/docs/core-readme.html#removing-automatic-cross-stack-references), but in this case we should try to find an automated way to work around this. |
The tags visible in the example is due to an Aspect tagging all resources in the CDK app. As of CDK 1.100, by #13990, the DnsValidatedCertificate construct is taggable and will propagate them to the custom resource. Both the create and update operations of the custom resource of DnsValidatedCertificate will create a new certificate, and perform cleanup afterwards. So tags can never be modified, nor added initially on an existing resource, without causing a replacement. The update operation should be able to reuse an existing physical resource if possible, and only create a new physical resource if it is incompatible. (As a workaround for this example, modifying the Aspect so it ignores DnsValidatedCertificate is needed to prevent the tags to be added.) |
@henrist , @jsii.implements(cdk_core.IAspect)
Aspects.of(app).add(RemoveTags()) |
Simply modify the existing aspect so it does not add tags to the resource. See e.g. capralifecycle/liflig-cdk@0d09652#diff-077227343fd51db7365fbf2f2db1be0fd3bb3066376de11f8c381ade83dd6dfc |
(Tagging @timothy-farestad just for awareness.) Reproduced with a minimal example (deploy both stacks with cdk 1.99.0; upgrade to 1.100.0; deploy Stack A (or both)):
The Tags can actually be removed, you just need to specify the
However, this doesn't actually solve the problem. The IAM Policy and Lambda Function associated with the Custom Resource have changed, regardless of if tags are applied or not, which still causes the same issue. The same issue would present if the Lambda function was changed in any way at all (even adding a comment). The real solution is likely to make the Lambda function smarter; currently, the on "Update", the function still just requests a new certificate. If the actual properties of the certificate haven't changed, this should be a no-op; if only tags have changed, we should be able to add/remove tags intelligently. This is the relevant bit of the code that's not intelligent enough yet: Lines 246 to 256 in 46a1631
The solution here will likely involve comparing the It seems like this issue impacts a significant number of customers, and I've tagged it as P1, which means it should be on our near-term roadmap. If anyone is interested in taking a stab at the fix, I'd be more than happy to work with you. If you are able, we encourage you to contribute a bug fix. |
Hi @njlynch , |
Encountered this in a personal project of mine and happy to take a stab at a fix, but this is my first PR and might be good to have some help on this. I don't assume there's been any update since last year? |
…Certificate (#22122) This PR adds a method override for applyRemovalPolicy which allows the user to specify a removal policy for the DnsValidatedCertificate construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the RemovalPolicy is set to retain. This is also needed to allow for an easier migration from DnsValidatedCertificate -> Certificate reroll of #22040 This has the same changes as #22040 with the addition of some logic to handle only processing updates for certain parameters. If `RemovalPolicy` is changed for example, the update will not be processed. I also added an integration test with some manual instructions. In order to test ACM certificates I also updated the integ-runner to handle some additional special env variables. fixes #20649, fixes #14519 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…Certificate (aws#22122) This PR adds a method override for applyRemovalPolicy which allows the user to specify a removal policy for the DnsValidatedCertificate construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the RemovalPolicy is set to retain. This is also needed to allow for an easier migration from DnsValidatedCertificate -> Certificate reroll of aws#22040 This has the same changes as aws#22040 with the addition of some logic to handle only processing updates for certain parameters. If `RemovalPolicy` is changed for example, the update will not be processed. I also added an integration test with some manual instructions. In order to test ACM certificates I also updated the integ-runner to handle some additional special env variables. fixes aws#20649, fixes aws#14519 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…Certificate (aws#22122) This PR adds a method override for applyRemovalPolicy which allows the user to specify a removal policy for the DnsValidatedCertificate construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the RemovalPolicy is set to retain. This is also needed to allow for an easier migration from DnsValidatedCertificate -> Certificate reroll of aws#22040 This has the same changes as aws#22040 with the addition of some logic to handle only processing updates for certain parameters. If `RemovalPolicy` is changed for example, the update will not be processed. I also added an integration test with some manual instructions. In order to test ACM certificates I also updated the integ-runner to handle some additional special env variables. fixes aws#20649, fixes aws#14519 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Now that the official CloudFormation resource `AWS::CertificateManager::Certificate` (CDK's `Certificate` construct) supports DNS validation we do not want to recommend using the `DnsValidatedCertificate` construct. The `DnsValidatedCertificate` construct uses CloudFormation custom resources to perform the certificate creation and this creates a lot of maintenance burden on our team (see the list of linked issues). Currently the primary use case for using `DnsValidatedCertificate` over `Certificate` is for cross region use cases. For this use case I have updated the README to have our suggested solution. The example in the README is tested in this [integration test](https://github.com/aws/aws-cdk/blob/main/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-cross-region-cert.ts) fixes #8934, #2914, #20698, #17349, #15217, #14519 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
i am using certificatemanager.DnsValidatedCertificate(python version) to create and validate the certificate ,
this was working fine until cdk version(1.100.0) with 1.100.0 DnsValidatedCertificate is adding Tags to the custom resource as shown below .
because of these tags it is trying to update the custom resource and fails with the error as shown below .
i have tried to remove these tags explicitly by using the remove tags method but it could not remove them.
cdk_core.Tags.of(core).remove(
"ApplicationName", include_resource_types=["AWS::CloudFormation::CustomResource"]
)
Reproduction Steps
self.hosted_zone_wildcard_certificate_us_east_1 = certificatemanager.DnsValidatedCertificate(
self,
"DnsValidationUsEast1",
hosted_zone=self.hosted_zone, # type: ignore
domain_name="*." + self.hosted_zone_name,
region="us-east-1",
)
if self.hosted_zone_wildcard_certificate_us_east_1 is used in another stack then it will fail.
What did you expect to happen?
this should not update the custom custom .
What actually happened?
it was not suppose to update the custom resource by adding the Tags to the custom resource.
Environment
Other
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: