-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[aws-certificatemanager] DnsValidatedCertificate support for separate hosted zones and accounts #8934
Comments
Would #8552 solve this? |
While it solves the problem with multiple hosted zones, it doesn't solve cross-account support, afaik. |
see #4469 |
@podoprigo can give some background on how you would use such a certificate? If a Route53 hosted zone is exclusive to a single account, particularly the apex domain Are you trying to do latency based / regional DNS routing across multiple accounts? Like with an ALB or Regional API gateway in each "regional account" that only serves content for that region, but the latency based DNS routing for |
@rrrix - you are right. Since opening this ticket, we pivoted a bit. Our setup is :
Latency based routing is setup in account A. Accounts B,C,...,Z have ACM certs for The plan for stack extension is the following:
It works, but it requires manual intervention and copying strings across stacks. As pointed out by @konstantinj, we'll most probably need to rollout our own automation, if we need it. |
Hi, i have a quick question: Does this issue only regard cross-account use cases? While Would appreciate if DnsValidatedCertificate would support SANs Want to follow with Code-Example: // approach with DnsValidatedCertificate
const cert = new DnsValidatedCertificate(this, "MyCert", {
hostedZone: mainZone, // <- this parameter is not required using the Certificate Class (see below)
domainName: mainZone.zoneName,
region: "us-east-1", // good thing here is i can set region so i can use it with CloudFront
validation: CertificateValidation.fromDnsMultiZone(allZones),
subjectAlternativeNames: sans,
});
//approach with Certificate - does not allow setting region, but doesnt require to set a specific zone
//this works, but only in the current region
const cert = new Certificate(this, "Certificate", {
domainName,
validation: CertificateValidation.fromDnsMultiZone(allZones),
subjectAlternativeNames: sans,
}); Error Message for reference (using DnsValidatedCertificate with multizone):
This writeup turned out longer than expected so im sorry for hijacking this issue |
I agree with what @Tanuel said, that this issue is not just about cross-account. It's quite common to see zone delegation even within single account, since it keeps things a bit more organized, but at the same time there are use cases to having ACM certificate that targets multiple zones. Then again, having to deploy CloudFront certificate separately in different stack to different region ( Having support for setting the |
I need this feature too. It's common to centralize Domain names and certificates in a single AWS Account. This seems to be the best solution currently: |
Continuing discussion from #12657 I'm posting my setup in case someone can spot an error. It would be great with a workaround for this problem. const certRole = iam.Role.fromRoleArn(this, 'Role', 'arn:aws:iam::222222222222:role/TestRole', { mutable: true });
const dnsValidatedCertificate = new acm.DnsValidatedCertificate(this, 'CrossRegionCertificate', {
domainName: 'sub.domain.com',
hostedZone: domainZone, // Comes from "root account"
region: this.region,
customResourceRole: certRole,
}); TestRole has AdministratorAccess (for the sake of testing), and also an inline policy to assume a role in the root account. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::111111111111:role/ChildAccountCDKUser"
}
]
} I've added "lambda.amazonaws.com" to the trust relationship for this role (Action: sts:AssumeRole). The ChildAccountCDKUser in the "root account" has AdministratorAccess (for the sake of testing), and also Trust relationship set to allow sts:AssumeRole for "arn:aws:iam::222222222222:root" I'm getting this error:
Any ideas? |
I need this feature too |
Interested in that feature too |
I've found somewhat of a workaround for my use case: USE CASE: -AccountA|HostedZoneA: mydomain.com This certificate will be shared amongst multiple downstream stacks in AccountB My Stack is deployed to AccountB:us-east-2, and includes a cloudfront distribution that needs to use a us-east-1 certificate. The dns validation entry for *.mydomain.com has already been done for AccountB, so that is already handled I use acm.DnsValidatedCertificate to auto-create the *.api.env.mydomain.com entry in HostedZoneB, then use a custom resource to request the Desired Certificate without validation in us-east-1 There's no additional validation steps required after, as the dns validation entries are already in HostedZoneA and HostedZoneB
|
any updates here? |
I don't think this would work with the current custom resource lambda for DnsValidatedCertificate, as it has no logic to change which role or credentials are used when calling the Route53 API. The calls to ACM to create the certificate, and the calls to Route53 to create the DNS records would both be made using the same role, which implies the certificate and DNS records must be in the same account. For it to work, I think the lambda would need to accept another role that it can assume just when calling the Route53 API, and the construct would need to allow the lambda's role to assume it? Or perhaps the certificate and DNS record creation could be done in separate custom resources, so they can each run with separate roles. |
Identified 3 duplicates #15217, #20774 and #21040 that talk about this issue. We really need to up the priority of this issue as it is clear from these duplicates that we need to revise these issues. Recommendations of prerequisites of how to model this with minimal disruption:
With this we have the building blocks to update
At the moment I need to have two stacks, or stick to a single hosted zone, which is quite frustrating as you can imagine. Note: As I primarily use Python the names are derived from the Python Docs in these suggestions. |
This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue. |
I actually rather think the reverse is true. So
I'd like to interrogate this a little. Why is having 2 stacks for resources in 2 regions frustrating ? Conversely, adding custom resources and ways to create "out-of-region" resources for every resource where people might want them seems worse: it's less scalable development-wise, and brings more maintenance burden and chance of bugs. Let me offer a different solution that accomplishes ~the same thing: how about we add the ability to make |
I'm the filer of #15217 which has been merged into this. As a developer, I'm a big fan of reusable solutions and the cross-stack, cross-region discussion is a worthy feature that very well may cover a lot of use cases in a general fashion. I will say that the deployment requirements (and not abstract stack/region architecture) dictate that SSL Certificates must be created and live in |
I think based upon codeedog@'s feedback, with regards to this specific use case I think that we should probably talk to ACM about making it possible to create "global" certificates, and fix this issue once and for all. This operational constraint doesn't just apply to CDK. I don't think this will be a trivial change as ACM uses KMS keys that are not global, meaning that certificates cannot be shared between regions. With some architectural and implementation changes I can imagine a situation where either a scope and/or custom key can be provided as part of the certificate creation process. In theory the scope would allow for global certificates that replicated using a multi-region KMS key, and the custom key would even allow for cross-account certificates. However, this looks like it would be a way of, so until we either have a generalized way to create cross region references, or cross-region/cross-account ACM certificates, I personally do not support the deprecation of the |
The goal with my notes here was to minimize disruption, which to me means "don't deprecate the currently preferred method", as that is obviously going to be a breaking change for CDK consumers. That being said, I actually agree with you, creating custom resources when they're not needed is not scalable. We should minimize the number of custom code paths we need to manage. So ultimately, deprecation of this resource is going to be preferred, and in fact seems to what has been decided for CDK 3 as per #21982. However, there is one thing that |
Now that the official CloudFormation resource `AWS::CertificateManager::Certificate` (CDK's `Certificate` construct) supports DNS validation we do not want to recommend using the `DnsValidatedCertificate` construct. The `DnsValidatedCertificate` construct uses CloudFormation custom resources to perform the certificate creation and this creates a lot of maintenance burden on our team (see the list of linked issues). Currently the primary use case for using `DnsValidatedCertificate` over `Certificate` is for cross region use cases. For this use case I have updated the README to have our suggested solution. The example in the README is tested in this [integration test](https://github.com/aws/aws-cdk/blob/main/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-cross-region-cert.ts) fixes #8934, #2914, #20698, #17349, #15217, #14519 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Hello! I see that this issue has been closed, but it looks like at least one of the limitations covered by this issue remains: namely that I cannot use CDK to create and validate an ACM certificate if validation requires DNS entries in a Route 53 hosted zone that is located in another account. I cannot see any other open issues covering this, so I'd like to try and resume discussion - as per the Comment visibility warning above I'm tagging previous commenters @taylorb-syd and @corymhall for visibility; shout if I should take this chat elsewhere. I would make the case that this use case is a reasonable, and indeed desirable, thing to do when following best practices about using multiple AWS accounts in an organisation (AWS has various recommendations around this as per aws multiple account best practices - Google Search). To summarise my own use case that led me here: I have a Route 53 hosted zone for myproduct.myorg.example that is located in a "core infrastructure" AWS account. Following best practice, I then have separate AWS accounts for each stage of my service to reduce the blast radius of issues. Naturally, I want my production website to be accessible at the apex of myproduct.myorg.example rather than something like website.eu-west-1.prod.myorg.example and so I need to create an ACM TLS certificate in the EU-prod account, but validating this requires DNS entries in the core account with the top-level hosted zone, which means I cannot use either I see that there was an effort by @johnf to solve this for So a few concrete questions to try progress the conversation:
|
Hey all, just wanted to share an approach that worked for us. Also to specifically answer @chrispaton question 1 . We basically emulated the behavior of CrossAccountZoneDelegationRecord. As a summary, the approach that construct takes is:
We can do the same thing here for DNS validation. I believe the PR that was closed for this issue was taking a similar approach. Still, one could accomplish the same end result by implementing their own Lambda and AWSCustomResource to invoke it. For example, first you'd have to create the ACM certificate and tell the CDK you'll be doing DNS validation yourself by providing
You'll also have to create the lambda function(s) yourself but there is plenty of documentation on creating a Lambda Function (including a NodeJS Lambda Function). Depending on the language you write the Lambda function in, you'll have to find the right AWS SDK (e.g., boto3 for Python). The lambda's logic is too verbose and AWS SDK language-specific to put useful snippets here but at a high level it would accomplish something like:
This also gets more complicated if the domain has additional domain names which may be owned by separate AWS accounts. In that case you'll have to get a bit fancier with how you write the Lambda function(s) to make them more versatile/dynamic, or create separate custom resources (be mindful that they have a different physical ID). Although the above works, it is a lot of work to implement, with a lot of pitfalls. Ideally, this should be abstracted and centralized into the AWS CDK with a neat high level construct (like Is the above approach acceptable to the repository owners? If so, then we could have a path forward for a PR which could get merged into CDK and finally address this years-old feature request. Just spitballing the goal's construct behavior but what if the CDK construct was extended to support something like:
Alternatively, can take an approach more like fromDnsMultiZone, introducing a new
I personally prefer the second option. Assuming this might be acceptable, then I might have a go at implementing this in the AWS CDK and raising a PR. Thoughts @taylorb-syd , @TheRealAmazonKendra ? |
Hello there!
Currently, DnsValidatedCertificate construct only allows using a single hosted zone.
If the ACM certificate I'm creating needs SANs that belong to multiple hosted zones, stack creation fails.
DnsValidatedCertificate
should allow skipping/waiting for SANs that belong to different hosted zones. For example, it would update correct DNS records in the target hosted zone, and display validation records for the zones it doesn't have access to, while halting stack update.Use Case
I'm working on a project that involves separate AWS accounts per region/stage.
My 'root' AWS account contains the hosted zone for the root domain (example.com), while regional accounts contain hosted zones for sub-domains (us-west-2.example.com, us-east-1.example.com).
While I can work around hosted zones creation (and the necessity to copy NS records from
us-west-2.example.com
toexample.com
), doing the same for ACM certificates is quite difficult.For example, I need to create a certificate for
us-west-2.example.com
, with a SAN record forexample.com
.DnsValidatedCertificate
doesn't allow me to do that, since it tries to updateus-west-2.example.com
's DNS with 2 validation records, and the one forexample.com
doesn't belong there.Certificate
also doesn't allow me to do that, since it waits for DNS records to be updated : one forexample.com
and one forus-west-2.example.com
. The problem here is that both hosted zone and certificate forus-west-2.example.com
are in the same stack, so I have a bit of a chicken/egg problem.This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: