Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
h
handsome-truck-95168
12/11/2019, 7:43 PMI think it's impossible to, in one deployment, create an SSL certificate and DNS entries to validate that certificate for a domain with multiple "subjectAlternativeNames" in a general way.
This snippet demonstrates the problem. To see the bug, set
SHOW_BUGtrueSHOW_BUGfalseAPEX_DOMAIN<http://example.com|example.com>import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const SHOW_BUG = true
const apex = process.env.APEX_DOMAIN || "<http://example.com|example.com>"
const cert = new aws.acm.Certificate("cert", {
domainName: `v.${apex}`,
subjectAlternativeNames: [`vv.${apex}`, `vvv.${apex}`],
validationMethod: "DNS",
});
const zone = aws.route53.getZone({
name: apex,
privateZone: false,
});
if(SHOW_BUG) {
const domains = cert.domainValidationOptions.apply((opts) =>
opts.map((opt) =>
new aws.route53.Record(opt.resourceRecordName, {
name: opt.resourceRecordName,
records: [opt.resourceRecordValue],
ttl: 60,
type: opt.resourceRecordType,
zoneId: zone.id,
}, { dependsOn: cert })
)
)
new aws.acm.CertificateValidation(`cert-${apex}`, {
certificateArn: cert.arn,
validationRecordFqdns: domains.apply((doms) => doms.map((dom) => dom.fqdn))
}, { dependsOn: domains })
}
else {
let domains: Array<aws.route53.Record> = []
for(let i = 0; i < 3; i++) {
domains.push(new aws.route53.Record(`val-${i}`, {
name: cert.domainValidationOptions[i].resourceRecordName,
records: [cert.domainValidationOptions[i].resourceRecordValue],
ttl: 60,
type: cert.domainValidationOptions[i].resourceRecordType,
zoneId: zone.id,
}, { dependsOn: cert }))
}
new aws.acm.CertificateValidation(`cert-${apex}`, {
certificateArn: cert.arn,
validationRecordFqdns: domains.map((dom) => dom.fqdn)
}, { dependsOn: domains })
}Glad to make that a gist if it is easier
When the bug manifests, you get this output:
> pulumi up
Previewing update (cert-demo):
Type Name Plan Info
+ pulumi:pulumi:Stack cert-demo-cert-demo create 1 error; 4 messages
+ └─ aws:acm:Certificate cert create
Diagnostics:
pulumi:pulumi:Stack (cert-demo-cert-demo):
TypeError: Cannot read property 'concat' of undefined
at C:\Users\Justin\Source\cert-demo\node_modules\@pulumi\pulumi\runtime\resource.js:356:29
at Generator.next (<anonymous>)
at fulfilled (C:\Users\Justin\Source\cert-demo\node_modules\@pulumi\pulumi\runtime\resource.js:18:58)
error: Running program 'C:\Users\Justin\Source\cert-demo' failed with an unhandled exception:
TypeError: Cannot read property 'concat' of undefined
at C:\Users\Justin\Source\cert-demo\node_modules\@pulumi\pulumi\runtime\resource.js:356:29
at Generator.next (<anonymous>)
at fulfilled (C:\Users\Justin\Source\cert-demo\node_modules\@pulumi\pulumi\runtime\resource.js:18:58)Notice there is no reference to
index.tsdependsOnCertificateValidationw
white-balloon-205
12/11/2019, 8:19 PMThis should work - and it looks like there may be a bug in the core Pulumi runtime library. Will take a look and open an issue if there is.
Note that creating resources inside an apply is a little less ideal because it means previews may not be accurate (as we can’t know what will happen until the resource is actually created).
Because of that - if the
donainValidationOptionssubjectAlternateNamesh
handsome-truck-95168
12/11/2019, 8:21 PMThank you for taking a look. Probably there should be guidance in the docs or a better error message if nothing else. Glad to provide more details if needed!