Hi, I'm having trouble creating an `aws:acm:Certif...
# general
Hi, I'm having trouble creating an
. It just never completes. I've let
pulumi up
run for up to 30m and it's just sat there saying "creating". I can't see any open Github issues about this problem. I've tried running with the debug flag, but I don't understand the output. Does anyone have any suggestions?
I just did this myself, can you share your code?
Sure, just give me a few minutes, I think my problem might be that the Route53 zone that I was trying to get a certificate for was private
I'm not 100% sure but I think this might only work for public zones?
I think the "creating" status in Pulumi is reflecting the "pending validation" status in the Cert Manager console. If I understand the docs correctly this isn't a real resource (AWS doesn't have a thing called "Certificate Validation" that can be created) but more of a way to have Pulumi block parts of a deployment that depend on the validation until it has succeeded?
yes you can’t validate an ACM with a private zone, because an external service has to query your DNS domain to get a valid response to ensure you actually own that zone
if you’re using a private DNS zone, you might want to consider using ACMPA
The private zone was a mistake, but thanks for the pointer 🙂 The code I'm using is as follows
Copy code
const publicDomainName = `${env}.<http://pyrratech.com|pyrratech.com>`;
const route53PublicZone = new aws.route53.Zone(name("public"), {
  name: publicDomainName

const acmCertificate = new aws.acm.Certificate(name("certificate"), {
  domainName: `*.${publicDomainName}`,
  validationMethod: "DNS",

// Create domain validation records required to validate the certificate
const certificateValidation = acmCertificate.domainValidationOptions
  .apply((options) => {
    return options.map((option, index) => {
      return new aws.route53.Record(name(`certValidation-${index}`), {
        allowOverwrite: true,
        name: option.resourceRecordName,
        records: [option.resourceRecordValue],
        ttl: 60,
        type: option.resourceRecordType,
        zoneId: route53PublicZone.zoneId,
  .apply((route53Records) => {
    return new aws.acm.CertificateValidation(name("certificateValidation"), {
      certificateArn: acmCertificate.arn,
      validationRecordFqdns: route53Records.map(
        (exampleRecord) => exampleRecord.fqdn
is a helper function for consistent naming, it just prepends
to its argument)
The problem seems to be that ACM is not validating the DNS record I create. I can't see why yet - it appears correct to me, and when I go through the UI helper it still doesn't validate
(ACM has a helper button to create the Route53 records)
Oh I am so dumb... our domain isn't hosted with AWS. Setting the record in Route53 does nothing, it needs to be set in Google Domains probably
☝️ 1