https://pulumi.com logo
Join Slack
Powered by
Does anyone know if deleting ACM validation R53 re...
# aws
g
Does anyone know if deleting ACM validation R53 record invalidates the certificate? I have a component resource that creates a ACM certificate and validates it in R53. The problem is if I create another certificate with the same domain name in another region it generates the same CNAME -> https://github.com/hashicorp/terraform-provider-aws/issues/7918 One of the options suggested was to use 
allow_overwrite=True
with 
r53.Record()
Assume: 
<http://cert.domain.com|cert.domain.com>
- is the name 1) create the certificate in region 
eu-west-1
for 
<http://cert.domain.com|cert.domain.com>
, this generates validation CNAME: 
<http://1234.aws.validate.com|1234.aws.validate.com>
, creates CNAME in r53 2) create the certificate in region 
us-east-1
for 
<http://cert.domain.com|cert.domain.com>
, this generates validation CNAME: 
<http://1234.aws.validate.com|1234.aws.validate.com>
, overwrites CNAME in r53 3) delete the certificate from step 2) - removes CNAME from r53 however cert in step 1) may still require this CNAME to be preset or does the CertificateValidation takes care of recreation?
b
It shouldn't invalidate an already-validated cert. You've proven that you control the domain so you should be good for the lifetime of the cert. However, AWS will automatically renew your cert at expiration time if that r53 record still exists. Otherwise your cert will expire.
g
Thanks that's what I thought, I wonder how can I resolve this problem? I'm not sure if I can simply query for existing record and the just 
if not exists: create r53.Record()
due to async behaviour of pulumi program
b
are these certs part of the same pulumi program or separate pulumi programs?
Can't a cert be used in multiple regions? I guess even if you need a separate cert for each region - it sounds like the best solution would be to lift the cert + validation out into a separate shared infrastructure pulumi program. This shared infrastructure pulumi program could take in an array of regions that you need to make the cert for, and merge the required validation records by uniqueness so you're only making 1 r53 validation record. Then the shared infra pulumi program could output a dictionary of 
cert region: cert arn
g
I'm creating a reusable component which may be used in any pulumi program
b
It doesn't make sense to me that ACM certs would be region locked. Under the hood they're just SSL certs which should have no concept of AWS regions. And when I look at my existing ACM certs I don't see any of them specifying a region. Is it really the case that a cert created with one region can't be used anywhere?
g
Yes, you cannot reference certs from different region that's also why cloudfront requires certs present in us east 1, it's silly from AWS and I agree that ACM should be a global service
b
Crazy, I guess it might have to do with the region determining where they are physically holding the cert files or something. Still seems weird
g
if you are big enough customer I'd ask AWS why is it not a global service
10 Views
Open in Slack
PreviousNext
Powered by