DNS validation with aws-certificate-manager

[hassankhan]

CloudFormation now supports validating ACM certificates with DNS, however it seems a little gnarly, integration-wise.

In an ideal world, we could retrieve the verification CNAME as a return value and add it to a hosted zone automatically.

[mindstorms6]

ACM uses CNAME (Canonical Name) records to validate that you own or control a domain. When you choose DNS validation, ACM provides you one or more CNAME records to insert into your DNS database. During stack creation, CloudFormation emits a CREATE_IN_PROGRESS event which lists these CNAME records. They are displayed in the Status reason column on the Events page for the stack. In order for CloudFormation to complete stack creation, you must add the CNAME records to your DNS database. For more information, see Use DNS to Validate Domain Ownership in the AWS Certificate Manager User Guide.

In my mind - this would have to fall back to a custom resource that either "reads" the events and parses it (gross) or calls ACM Describe looking for the pending one (also, not super fun)

Upside - we do it once here - no one really ever needs to know how "gnarly" it is.

Other ideas?

[rix0rrr]

@mindstorms6, could there ever be more than 1 pending verification on a domain? Because if so, the Describe call cannot work without more information, no? So we'd always have to parse our own CloudFormation stack and look for events with the correct logicalID? Which we don't know either?

Ew.

Might just be easier to do the whole ACM call inside a CustomResource as well?

[mindstorms6]

Indeed - you can have many pending requests for the same domain - you'd want some sort of disambiguation. CFN might install a tag or something like that.

Being said - I imagine the resource could call "DescribeStackEvents" and we could get the pending physical Id then call ACM describe, and insert the records. That sounds more reasonable to me.

[dnagir]

This would be really useful, especially after seeing how nicely Terraform does it 🙏