feat(certificatemanager): native CloudFormation DNS validated certificate #8552
Conversation
…cate Automatically adding Amazon Route 53 CNAME records for DNS validation is now natively supported by CloudFormation. Add a `validation` prop to `Certificate` to handle both email and DNS validation. Deprecate `DnsValidatedCertificate`. The default remains email validation (non-breaking). Closes aws#5831 Closes aws#5835 Closes aws#6081 Closes aws#6516 Closes aws#7150 Closes aws#7941 Closes aws#7995 Closes aws#7996
|
What should be done here? If we replace See also aws-cloudformation/cloudformation-coverage-roadmap#523 |
|
Any news on this? Recently a lot of |
| ```ts | ||
| new Certificate(this, 'Certificate', { | ||
| domainName: 'hello.example.com', | ||
| validation: CertificateValidation.fromDns(), |
There was a problem hiding this comment.
I feel like the README here should call out the same warning from the fromDns documentation about needing to manually add the DNS records before CloudFormation can succeed. Might even be worth having the Route53 example first (as the thing people are most likely to copy/paste and use), and then call out the outside-DNS example with the warning about the need for manual intervention.
| * @deprecated use the `validation` prop with `CertificateValidation.fromDns()` | ||
| * on `Certificate`. |
There was a problem hiding this comment.
Counter-argument -- this custom resource-based approach allows for cross-region cert creation, which the native CloudFormation support doesn't allow (AFAIK). It might be worth not deprecating it, and noting this use case in the README. What do you think?
There was a problem hiding this comment.
Good point. For information, it's in the CF roadmap aws-cloudformation/cloudformation-coverage-roadmap#523.
This also solves my question here #8552 (comment)
| * @param hostedZone the default hosted zone to use for all domains in the certificate | ||
| * @param hostedZones a map of hosted zones to use for domains in the certificate | ||
| */ | ||
| public static fromDns(hostedZone?: route53.IHostedZone, hostedZones?: { [domainName: string]: route53.IHostedZone }) { |
There was a problem hiding this comment.
I'm trying to think of a better way to do this interface. As-is, it's not clear how to use it -- if I need to provide the hostedZones map, do I also need to provide the hostedZone? If so, does it matter which is the "main" zone and which appears in the map? One other thought -- domain names to hosted zones are N:1; you may have 10 domain names with two top-level hosted zones; flipping the map around may be slightly more usable for some customers (I don't have the data to back that up off-hand though).
Maybe breaking this into two would alleviate some of the problems:
public static fromDns(hostedZone?: route53.IHostedZone) {...}
public static fromDnsMultiZone(hostedZoneMap: { [domainName: string]: route53.IHostedZone) {...}
Open to better naming and disagreements.
| Use the `DnsValidatedCertificate` construct for cross-region certificate creation: | ||
|
|
||
| ```ts | ||
| new DnsValidatedCertificate(this, 'CrossRegionCertificate', { |
There was a problem hiding this comment.
Should we do:
export class CrossRegionDnsValidatedCertificate extends DnsValidatedCertificate {
constructor(scope: cdk.Construct, id: string, props: DnsValidatedCertificateProps) {
super(scope, id, props);
}
}to get a better naming?
There was a problem hiding this comment.
I don't think it's worth it, especially considering cross-region support is on the roadmap for CloudFormation. Let's just leave it as-is and deprecate it once we can.
| @@ -1,26 +0,0 @@ | |||
| import * as route53 from '@aws-cdk/aws-route53'; | |||
There was a problem hiding this comment.
Can you un-delete this file, given we are not (yet) deprecating the DnsValidatedCertificate?
@njlynch can you re-approve? |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Automatically adding Amazon Route 53 CNAME records for DNS validation is
now natively supported by CloudFormation.
Add a
validationprop toCertificateto handle both email and DNSvalidation.
DnsValidatedCertificateis now only useful for cross-regioncertificate creation.
The default remains email validation (non-breaking).
Closes #5831
Closes #5835
Closes #6081
Closes #6516
Closes #7150
Closes #7941
Closes #7995
Closes #7996
Closes #8282
Closes #8659
Closes #8783
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license