https://pulumi.com logo
Powered by
c

crooked-laptop-67565

07/22/2022, 12:43 AM
Hi, I'm having trouble creating an 
aws:acm:CertificateValidation
. It just never completes. I've let 
pulumi up
run for up to 30m and it's just sat there saying "creating". I can't see any open Github issues about this problem. I've tried running with the debug flag, but I don't understand the output. Does anyone have any suggestions?
b

billowy-army-68599

07/22/2022, 1:01 AM
I just did this myself, can you share your code?
c

crooked-laptop-67565

07/22/2022, 1:03 AM
Sure, just give me a few minutes, I think my problem might be that the Route53 zone that I was trying to get a certificate for was private
I'm not 100% sure but I think this might only work for public zones?
I think the "creating" status in Pulumi is reflecting the "pending validation" status in the Cert Manager console. If I understand the docs correctly this isn't a real resource (AWS doesn't have a thing called "Certificate Validation" that can be created) but more of a way to have Pulumi block parts of a deployment that depend on the validation until it has succeeded?
b

billowy-army-68599

07/22/2022, 1:24 AM
yes you can’t validate an ACM with a private zone, because an external service has to query your DNS domain to get a valid response to ensure you actually own that zone
if you’re using a private DNS zone, you might want to consider using ACMPA
c

crooked-laptop-67565

07/22/2022, 1:51 AM
The private zone was a mistake, but thanks for the pointer 🙂 The code I'm using is as follows
Copy code
const publicDomainName = `${env}.<http://pyrratech.com|pyrratech.com>`;
const route53PublicZone = new aws.route53.Zone(name("public"), {
  name: publicDomainName
});

const acmCertificate = new aws.acm.Certificate(name("certificate"), {
  domainName: `*.${publicDomainName}`,
  validationMethod: "DNS",
});

// Create domain validation records required to validate the certificate
const certificateValidation = acmCertificate.domainValidationOptions
  .apply((options) => {
    return options.map((option, index) => {
      return new aws.route53.Record(name(`certValidation-${index}`), {
        allowOverwrite: true,
        name: option.resourceRecordName,
        records: [option.resourceRecordValue],
        ttl: 60,
        type: option.resourceRecordType,
        zoneId: route53PublicZone.zoneId,
      });
    });
  })
  .apply((route53Records) => {
    return new aws.acm.CertificateValidation(name("certificateValidation"), {
      certificateArn: acmCertificate.arn,
      validationRecordFqdns: route53Records.map(
        (exampleRecord) => exampleRecord.fqdn
      ),
    });
  });
(
name
is a helper function for consistent naming, it just prepends 
pulumi-${env}-
to its argument)
The problem seems to be that ACM is not validating the DNS record I create. I can't see why yet - it appears correct to me, and when I go through the UI helper it still doesn't validate
(ACM has a helper button to create the Route53 records)
Oh I am so dumb... our domain isn't hosted with AWS. Setting the record in Route53 does nothing, it needs to be set in Google Domains probably
☝️ 1
2 Views
Powered by