aws acm CertificateValidation deletes the cert after it is i Pulumi Community #general

Join Slack

aws.acm.CertificateValidation deletes the cert aft...

# general

billowy-laptop-45963

08/14/2019, 6:13 PM

aws.acm.CertificateValidation deletes the cert after it is issued

white-balloon-205

08/14/2019, 6:13 PM

Hmm - that doesn't sound right. I use this quite regularly and have never seen it delete the cert. Do you have more details?

billowy-laptop-45963

08/14/2019, 6:15 PM

I can't at all get the acm/route53 combination work without a few issues. This is what I'm trying to get work which I have a working terraform version which is basically line for line equivalent:

Copy code

const cert = new aws.acm.Certificate("cert", {
    domainName: domainName,
    subjectAlternativeNames: [san1],
    validationMethod: "DNS",
});

const zone = aws.route53.getZone({
    name: domainName,
    privateZone: false,
}).then(zone => zone.id);


const v1 = new aws.route53.Record("v1", {
    name: cert.domainValidationOptions.apply(opt => opt[0].resourceRecordName),
    records: [cert.domainValidationOptions.apply(opt => opt[0].resourceRecordValue)],
    ttl: 60,
    type: cert.domainValidationOptions.apply(opt => opt[0].resourceRecordType),
    zoneId: zone,
});

const v2 = new aws.route53.Record("v2", {
    name: cert.domainValidationOptions.apply(opt => opt[1].resourceRecordName),
    records: [cert.domainValidationOptions.apply(opt => opt[1].resourceRecordValue)],
    ttl: 60,
    type: cert.domainValidationOptions.apply(opt => opt[1].resourceRecordType),
    zoneId: zone,
});

const certValidation = new aws.acm.CertificateValidation("cert", {
    certificateArn: cert.arn,
    validationRecordFqdns: [
        v1.fqdn,
        v2.fqdn,
    ],
});

billowy-laptop-45963

08/14/2019, 6:15 PM

pulumi cli : v0.17.28

white-balloon-205

08/14/2019, 6:16 PM

And what exactly happens?

billowy-laptop-45963

08/14/2019, 6:16 PM

my watcher:

Copy code

while :; do date ; aws --profile jonjitsu acm describe-certificate --certificate-arn arn:aws:acm:us-east-1:389211687401:certificate/057a6b0b-9967-4d1f-8294-7f3fdd7dce0a; sleep 2; done

billowy-laptop-45963

08/14/2019, 6:17 PM

on a fresh stack pulumi up -y creates a cert and then dies with a large exception. I immediately re-run pulumi up -y and it continues creating v1/v2 records

billowy-laptop-45963

08/14/2019, 6:18 PM

then the validation kicks in

billowy-laptop-45963

08/14/2019, 6:18 PM

once the cert is issued validation is up and it disappears

billowy-laptop-45963

08/14/2019, 6:18 PM

the describe-certificate above starts returning errors

billowy-laptop-45963

08/14/2019, 6:20 PM

so there's two issues really, one I created a ticket for here: https://github.com/pulumi/pulumi/issues/3063

white-balloon-205

08/14/2019, 6:23 PM

and then dies with a large exception

What exception?

white-balloon-205

08/14/2019, 6:23 PM

once the cert is issued validation is up and it disappears

What output do you get from

pulumi

billowy-laptop-45963

08/14/2019, 6:23 PM

one of these for each usage in route53 record

TypeError: Cannot read property 'resourceRecordName' of undefined

billowy-laptop-45963

08/14/2019, 6:27 PM

output:

Copy code

$ pulumi up -y
Previewing update (acmtest1):

     Type                              Name                   Plan        Info
     pulumi:pulumi:Stack               wp-cfn-stack-acmtest1
 +-  ├─ aws:acm:Certificate            cert                   replace     [diff: ~domainName,subjectAlter
 +   ├─ aws:route53:Record             v2                     create
 +   ├─ aws:route53:Record             v1                     create
 +   └─ aws:acm:CertificateValidation  cert                   create

Resources:
    + 3 to create
    +-1 to replace
    4 changes. 1 unchanged

Updating (acmtest1):

     Type                              Name                   Status       Info
     pulumi:pulumi:Stack               wp-cfn-stack-acmtest1
 +-  ├─ aws:acm:Certificate            cert                   replaced     [diff: ~domainName,subjectAlte
 +   ├─ aws:route53:Record             v2                     created
 +   ├─ aws:route53:Record             v1                     created
 +   └─ aws:acm:CertificateValidation  cert                   created

Outputs:
    certarn: "arn:aws:acm:us-east-1:389211687401:certificate/057a6b0b-9967-4d1f-8294-7f3fdd7dce0a"

Resources:
    + 3 created
    +-1 replaced
    4 changes. 1 unchanged

Duration: 57s

Permalink: file:///home/jon/.pulumi/stacks/acmtest1.json

white-balloon-205

08/14/2019, 6:29 PM

The replacement of the

cert

there doesn't look right. What does the diff show about why

domainName

is changing? That replace will lead to the cert being deleted (after a new one is created for the replacement).

white-balloon-205

08/14/2019, 6:30 PM

one of these for each usage in route53 record
TypeError: Cannot read property 'resourceRecordName' of undefined

This suggests that your

Certificate

returned only one validation option?

billowy-laptop-45963

08/14/2019, 7:00 PM

looks like it's my node version :~( I was using 11.3.0, switched to 8.11.4 and everything works now

white-balloon-205

08/14/2019, 7:18 PM

That's even scarier - no idea how that could lead to what you are seeing! But glad things are working for you.

best-xylophone-83824

08/15/2019, 9:26 AM

Node version in pulumi/pulumi docker image is 11.x , is it recommended node version to be used?

white-balloon-205

08/15/2019, 4:18 PM

We test on 12, 10 and 8 currently (current along with previous LTSs). Node 11 is technically EOL already per https://nodejs.org/en/about/releases/. I'd definitely be surprised about any serious issues with Node 11 though, as many users still happen to use it. We should bump the version in

pulumi/pulumi

to 12 though.

2 Views

Open in Slack

Previous Next