following this question <https pulumi community slack com ar Pulumi Community #yaml

following this question <https://pulumi-community....

fast-vase-27755

01/09/2024, 2:34 AM

following this question https://pulumi-community.slack.com/archives/CRH5ENVDX/p1704767107558509 YAML docs are very poor quality, how to contribute to improve them?

gifted-gigabyte-53859

01/09/2024, 8:30 AM

This is maybe not helpful to you, but maybe it is. I have used AWS Certs and cert validations, DNS, etc. in Pulumi Yaml in multiple projects. I have quite a few seemingly impossible errors like this. In every case, it was always me doing something wrong like referencing the wrong cert, or creating the validation in a wrong region, etc etc.

gifted-gigabyte-53859

01/09/2024, 8:33 AM

This is my working config right now, maybe it will help

Copy code

###########################################
#  A C M   C E R T
# ----------------------------------------
# Create a cert for the custom API gateway domain and validate it via DNS record
# <https://www.pulumi.com/registry/packages/aws/api-docs/acm/certificate/>
# <https://www.pulumi.com/registry/packages/aws/api-docs/acm/certificatevalidation/>
###########################################
  cert_wildcard:
    type: aws:acm:Certificate
    properties:
      domainName: "*.${varConstructedDomainWithProductionTrimmed}"
      validationMethod: "DNS"
      # AWS tags
      tags:
        Environment: ${pulumi.stack}
        CreatedBy: pulumi
  cert_wildcard_validation:
    type: aws:acm:CertificateValidation
    properties:
      certificateArn: ${cert_wildcard.arn}
      validationRecordFqdns:
        - ${dns_certvalidation.fqdn}

  # record for cert validation
  # <https://www.pulumi.com/registry/packages/aws/api-docs/acm/certificatevalidation/>
  dns_certvalidation:
    type: aws:route53:Record
    properties:
      zoneId: ${varRoute53ZoneID}
      name: ${cert_wildcard.domainValidationOptions[0].resourceRecordName}
      records:
        - ${cert_wildcard.domainValidationOptions[0].resourceRecordValue}
      type: ${cert_wildcard.domainValidationOptions[0].resourceRecordType}
      ttl: 60

gifted-gigabyte-53859

01/09/2024, 8:37 AM

I notice you are overriding the provider to use us-east-1. I don't need to do this 🤷 maybe this is where your problem is. I remember I had to do this a long time in the past, but don't anymore. Maybe pulumi automatically handles it now

fast-vase-27755

01/09/2024, 5:36 PM

thanks @gifted-gigabyte-53859 it was actually quite opposite - if I do not specify

us-east-1

provider (in both certificate definition AND validation config) it just can't find certificate , otherwise it is ok but failing in timeout in pending validation I will try your example where you completely eliminate mentions of the provider

fast-vase-27755

01/09/2024, 5:54 PM

interestingly even manually created cert and semi-manually created route 53 records (from console by AWS itself) also hang in validation, seems like aws issue to me but I will never stop experiment a little worrying is the need to have manually created hosting zone - seems like AWS do not like to have hosting zone defined as IaC, this may be an issue

gifted-gigabyte-53859

01/10/2024, 2:57 AM

Yes, interesting. I did not try to create the zone with IaC, always did it manually. I also had a similar issue where it would timeout during the validation stage. I wish I could remember exactly what the issue was. I remember deleting all DNS records, then retrying the manual validation (manually from console click the 'create dns records' and see if it works. If it works, compare the manually created records with the ones you created via IaC. It may reveal something.

fast-vase-27755

01/10/2024, 3:24 AM

that was an issue with hosting zone, had to change NS records for the domain to match hosting zone, and extract zone from pulumi control

Open in Slack

Previous Next