This message was deleted.
# awss
sparse-intern-71089
08/02/2021, 12:35 PMThis message was deleted.
b
bored-oyster-3147
08/02/2021, 1:14 PMIt shouldn't invalidate an already-validated cert. You've proven that you control the domain so you should be good for the lifetime of the cert.
However, AWS will automatically renew your cert at expiration time if that r53 record still exists. Otherwise your cert will expire.
g
great-sunset-355
08/02/2021, 1:32 PMThanks that's what I thought, I wonder how can I resolve this problem?
I'm not sure if I can simply query for existing record and the just
if not exists: create r53.Record()b
bored-oyster-3147
08/02/2021, 1:33 PMare these certs part of the same pulumi program or separate pulumi programs?
bored-oyster-3147
08/02/2021, 1:48 PMCan't a cert be used in multiple regions? I guess even if you need a separate cert for each region - it sounds like the best solution would be to lift the cert + validation out into a separate shared infrastructure pulumi program.
This shared infrastructure pulumi program could take in an array of regions that you need to make the cert for, and merge the required validation records by uniqueness so you're only making 1 r53 validation record. Then the shared infra pulumi program could output a dictionary of
cert region: cert arng
great-sunset-355
08/03/2021, 11:45 AMI'm creating a reusable component which may be used in any pulumi program
b
bored-oyster-3147
08/03/2021, 12:29 PMIt doesn't make sense to me that ACM certs would be region locked. Under the hood they're just SSL certs which should have no concept of AWS regions. And when I look at my existing ACM certs I don't see any of them specifying a region. Is it really the case that a cert created with one region can't be used anywhere?
g
great-sunset-355
08/03/2021, 12:50 PMYes, you cannot reference certs from different region that's also why cloudfront requires certs present in us east 1, it's silly from AWS and I agree that ACM should be a global service
b
bored-oyster-3147
08/03/2021, 12:57 PMCrazy, I guess it might have to do with the region determining where they are physically holding the cert files or something. Still seems weird
g
great-sunset-355
08/04/2021, 6:01 PMif you are big enough customer I'd ask AWS why is it not a global service
35 Views