I think it's impossible to, in one deployment, cre...
# typescripth
handsome-truck-95168
12/11/2019, 7:43 PMI think it's impossible to, in one deployment, create an SSL certificate and DNS entries to validate that certificate for a domain with multiple "subjectAlternativeNames" in a general way.
handsome-truck-95168
12/11/2019, 7:45 PMThis snippet demonstrates the problem. To see the bug, set
SHOW_BUGtrueSHOW_BUGfalseAPEX_DOMAIN<http://example.com|example.com> Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const SHOW_BUG = true
const apex = process.env.APEX_DOMAIN || "<http://example.com|example.com>"
const cert = new aws.acm.Certificate("cert", {
domainName: `v.${apex}`,
subjectAlternativeNames: [`vv.${apex}`, `vvv.${apex}`],
validationMethod: "DNS",
});
const zone = aws.route53.getZone({
name: apex,
privateZone: false,
});
if(SHOW_BUG) {
const domains = cert.domainValidationOptions.apply((opts) =>
opts.map((opt) =>
new aws.route53.Record(opt.resourceRecordName, {
name: opt.resourceRecordName,
records: [opt.resourceRecordValue],
ttl: 60,
type: opt.resourceRecordType,
zoneId: zone.id,
}, { dependsOn: cert })
)
)
new aws.acm.CertificateValidation(`cert-${apex}`, {
certificateArn: cert.arn,
validationRecordFqdns: domains.apply((doms) => doms.map((dom) => dom.fqdn))
}, { dependsOn: domains })
}
else {
let domains: Array<aws.route53.Record> = []
for(let i = 0; i < 3; i++) {
domains.push(new aws.route53.Record(`val-${i}`, {
name: cert.domainValidationOptions[i].resourceRecordName,
records: [cert.domainValidationOptions[i].resourceRecordValue],
ttl: 60,
type: cert.domainValidationOptions[i].resourceRecordType,
zoneId: zone.id,
}, { dependsOn: cert }))
}
new aws.acm.CertificateValidation(`cert-${apex}`, {
certificateArn: cert.arn,
validationRecordFqdns: domains.map((dom) => dom.fqdn)
}, { dependsOn: domains })
}handsome-truck-95168
12/11/2019, 7:45 PMGlad to make that a gist if it is easier
handsome-truck-95168
12/11/2019, 7:46 PMWhen the bug manifests, you get this output:
Copy code
> pulumi up
Previewing update (cert-demo):
Type Name Plan Info
+ pulumi:pulumi:Stack cert-demo-cert-demo create 1 error; 4 messages
+ └─ aws:acm:Certificate cert create
Diagnostics:
pulumi:pulumi:Stack (cert-demo-cert-demo):
TypeError: Cannot read property 'concat' of undefined
at C:\Users\Justin\Source\cert-demo\node_modules\@pulumi\pulumi\runtime\resource.js:356:29
at Generator.next (<anonymous>)
at fulfilled (C:\Users\Justin\Source\cert-demo\node_modules\@pulumi\pulumi\runtime\resource.js:18:58)
error: Running program 'C:\Users\Justin\Source\cert-demo' failed with an unhandled exception:
TypeError: Cannot read property 'concat' of undefined
at C:\Users\Justin\Source\cert-demo\node_modules\@pulumi\pulumi\runtime\resource.js:356:29
at Generator.next (<anonymous>)
at fulfilled (C:\Users\Justin\Source\cert-demo\node_modules\@pulumi\pulumi\runtime\resource.js:18:58)handsome-truck-95168
12/11/2019, 7:47 PMNotice there is no reference to
index.tsdependsOnCertificateValidationw
white-balloon-205
12/11/2019, 8:19 PM
This should work - and it looks like there may be a bug in the core Pulumi runtime library. Will take a look and open an issue if there is.
Note that creating resources inside an apply is a little less ideal because it means previews may not be accurate (as we can’t know what will happen until the resource is actually created).
Because of that - if the
donainValidationOptionssubjectAlternateNamesh
handsome-truck-95168
12/11/2019, 8:21 PMThank you for taking a look. Probably there should be guidance in the docs or a better error message if nothing else. Glad to provide more details if needed!