Does anyone have a recommendation on how to use an ACM certificate in the same

pulumi up

as it was created? Is there an option when creating / updating a load balancer to say "don't fail yet, just wait for the certificate to be validated`? I know it can be done by using separate projects, but if AWS did the waiting for me, I'd be happier :)

you’ve tried the certificate validation resource? https://www.pulumi.com/registry/packages/aws/api-docs/acm/certificatevalidation/

Yes, that's what I'm using, but it takes anywhere from 20 seconds to (in theory) 72 hours. It's never taken more than 30 seconds for me, but that's still enough time to fail the

up

and have to run it a 2nd time.

Where is the 30 second time out coming from? I can’t imagine that’s a default.

There's no timeout. When the certificate is created by AWS, it's not ready for use by an LB, but it is a fully-created resource. Pulumi thinks it's good to go. If you use it immediately in an existing LB, AWS will complain, because the AWS async operation to check the cert's validity hasn't completed.

@little-cartoon-10569 are you using pulumi.DependsOn() ? in my case I'm using a cert w/ API gateway in the same pulumi up. i had to add: pulumi.DependsOn([]pulumi.Resource{certValid}) (golang) as an optional argument to gateway2.NewDomainName() where certValid is a CertificateValidation resource.

Ah, the load balancer might need to be dependent on both the certificate and the CertificateValidation? No I hadn't tried that. I'll make a note to try it later. Thanks!

When you reference a resource output (e.g., cert ARN) as an input to another resource (e.g., ALB listener’s certificate), Pulumi implicitly establishes a dependency and waits for the cert to be provisioned before it attempts to create the ALB listener. Since there are no cert validation resource outputs being references by the ALB listener inputs, the dependency has to be established explicitly via ResourceOptions.