No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I just did this myself, can you share your code?

Sure, just give me a few minutes, I think my problem might be that the Route53 zone that I was trying to get a certificate for was private

I'm not 100% sure but I think this might only work for public zones?

I think the "creating" status in Pulumi is reflecting the "pending validation" status in the Cert Manager console. If I understand the docs correctly this isn't a real resource (AWS doesn't have a thing called "Certificate Validation" that can be created) but more of a way to have Pulumi block parts of a deployment that depend on the validation until it has succeeded?

yes you can’t validate an ACM with a private zone, because an external service has to query your DNS domain to get a valid response to ensure you actually own that zone

if you’re using a private DNS zone, you might want to consider using ACMPA

The private zone was a mistake, but thanks for the pointer :slightly_smiling_face:

The code I'm using is as follows

```const publicDomainName = `${env}.<http://pyrratech.com|pyrratech.com>`;
const route53PublicZone = new aws.route53.Zone(name("public"), {
  name: publicDomainName
});

const acmCertificate = new aws.acm.Certificate(name("certificate"), {
  domainName: `*.${publicDomainName}`,
  validationMethod: "DNS",
});

// Create domain validation records required to validate the certificate
const certificateValidation = acmCertificate.domainValidationOptions
  .apply((options) =&gt; {
    return options.map((option, index) =&gt; {
      return new aws.route53.Record(name(`certValidation-${index}`), {
        allowOverwrite: true,
        name: option.resourceRecordName,
        records: [option.resourceRecordValue],
        ttl: 60,
        type: option.resourceRecordType,
        zoneId: route53PublicZone.zoneId,
      });
    });
  })
  .apply((route53Records) =&gt; {
    return new aws.acm.CertificateValidation(name("certificateValidation"), {
      certificateArn: acmCertificate.arn,
      validationRecordFqdns: route53Records.map(
        (exampleRecord) =&gt; exampleRecord.fqdn
      ),
    });
  });```


(`name` is a helper function for consistent naming, it just prepends `pulumi-${env}-` to its argument)

The problem seems to be that ACM is not validating the DNS record I create. I can't see why yet - it appears correct to me, and when I go through the UI helper it still doesn't validate

(ACM has a helper button to create the Route53 records)

Oh I am so dumb... our domain isn't hosted with AWS. Setting the record in Route53 does nothing, it needs to be set in Google Domains probably