Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
g
great-sunset-355
08/02/2021, 12:35 PMDoes anyone know if deleting ACM validation R53 record invalidates the certificate?
I have a component resource that creates a ACM certificate and validates it in R53. The problem is if I create another certificate with the same domain name in another region it generates the same CNAME -> https://github.com/hashicorp/terraform-provider-aws/issues/7918
One of the options suggested was to use
allow_overwrite=Truer53.Record()<http://cert.domain.com|cert.domain.com>eu-west-1<http://cert.domain.com|cert.domain.com><http://1234.aws.validate.com|1234.aws.validate.com>us-east-1<http://cert.domain.com|cert.domain.com><http://1234.aws.validate.com|1234.aws.validate.com>b
bored-oyster-3147
08/02/2021, 1:14 PMIt shouldn't invalidate an already-validated cert. You've proven that you control the domain so you should be good for the lifetime of the cert.
However, AWS will automatically renew your cert at expiration time if that r53 record still exists. Otherwise your cert will expire.
g
great-sunset-355
08/02/2021, 1:32 PMThanks that's what I thought, I wonder how can I resolve this problem?
I'm not sure if I can simply query for existing record and the just
if not exists: create r53.Record()b
bored-oyster-3147
08/02/2021, 1:33 PMare these certs part of the same pulumi program or separate pulumi programs?
Can't a cert be used in multiple regions? I guess even if you need a separate cert for each region - it sounds like the best solution would be to lift the cert + validation out into a separate shared infrastructure pulumi program.
This shared infrastructure pulumi program could take in an array of regions that you need to make the cert for, and merge the required validation records by uniqueness so you're only making 1 r53 validation record. Then the shared infra pulumi program could output a dictionary of
cert region: cert arng
great-sunset-355
08/03/2021, 11:45 AMI'm creating a reusable component which may be used in any pulumi program
b
bored-oyster-3147
08/03/2021, 12:29 PMIt doesn't make sense to me that ACM certs would be region locked. Under the hood they're just SSL certs which should have no concept of AWS regions. And when I look at my existing ACM certs I don't see any of them specifying a region. Is it really the case that a cert created with one region can't be used anywhere?
g
great-sunset-355
08/03/2021, 12:50 PMYes, you cannot reference certs from different region that's also why cloudfront requires certs present in us east 1, it's silly from AWS and I agree that ACM should be a global service
b
bored-oyster-3147
08/03/2021, 12:57 PMCrazy, I guess it might have to do with the region determining where they are physically holding the cert files or something. Still seems weird
g
great-sunset-355
08/04/2021, 6:01 PMif you are big enough customer I'd ask AWS why is it not a global service