(certificatemanager): stack loses track of DnsValidatedCertificate #17349
Comments
williamputraintan
added
bug
github-actions
bot
added
the
@aws-cdk/aws-certificatemanager
peterwoodworth
changed the title
ryparker
added
effort/small
|
Thanks for this bug report. It does indeed look like the custom resource handler always requests a new certificate (for a create/update), without deleting any existing certificates. Given each update -- sans metadata like tags -- requires a new certificate, this is a likely scenario and should probably be addressed. In the meantime, I always strongly recommend you use the |
|
@njlynch A lot of people use |
Now that the official CloudFormation resource `AWS::CertificateManager::Certificate` (CDK's `Certificate` construct) supports DNS validation we do not want to recommend using the `DnsValidatedCertificate` construct. The `DnsValidatedCertificate` construct uses CloudFormation custom resources to perform the certificate creation and this creates a lot of maintenance burden on our team (see the list of linked issues). Currently the primary use case for using `DnsValidatedCertificate` over `Certificate` is for cross region use cases. For this use case I have updated the README to have our suggested solution. The example in the README is tested in this [integration test](https://github.com/aws/aws-cdk/blob/main/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-cross-region-cert.ts) fixes #8934, #2914, #20698, #17349, #15217, #14519 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
What is the problem?
After
aws_certificatemanager.DnsValidatedCertificatehas been deployed and modifyingaws_certificatemanager.DnsValidatedCertificatewhile it still has apendingstatus it will just create a new one and old ones are being forgotten. As a result, a lot of certificates are created but does not belong to a cdk stackReproduction Steps
aws_certificatemanager.DnsValidatedCertificatewith a pending status (Reason for this, it needs manual validation from a different account, typo on alternative domain name)aws_certificatemanager.DnsValidatedCertificate(for example add a new alternative domain name, or fix typo domain name)What did you expect to happen?
The previous certificate is deleted and is replaced with the new certificate with the new configuration. Or at least a warning of the previous certificate is not deleted.
What actually happened?
New certificates keep on regenerating with the old one is not tracked with the cdk anymore.
CDK CLI Version
1.130.0 (build 9c094ae)
Framework Version
No response
Node.js Version
N/A
OS
Windows
Language
Python
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: