Thread
#general
    c

    crooked-laptop-67565

    2 months ago
    Hi, I'm having trouble creating an
    aws:acm:CertificateValidation
    . It just never completes. I've let
    pulumi up
    run for up to 30m and it's just sat there saying "creating". I can't see any open Github issues about this problem. I've tried running with the debug flag, but I don't understand the output. Does anyone have any suggestions?
    b

    billowy-army-68599

    2 months ago
    I just did this myself, can you share your code?
    c

    crooked-laptop-67565

    2 months ago
    Sure, just give me a few minutes, I think my problem might be that the Route53 zone that I was trying to get a certificate for was private
    I'm not 100% sure but I think this might only work for public zones?
    I think the "creating" status in Pulumi is reflecting the "pending validation" status in the Cert Manager console. If I understand the docs correctly this isn't a real resource (AWS doesn't have a thing called "Certificate Validation" that can be created) but more of a way to have Pulumi block parts of a deployment that depend on the validation until it has succeeded?
    b

    billowy-army-68599

    2 months ago
    yes you can’t validate an ACM with a private zone, because an external service has to query your DNS domain to get a valid response to ensure you actually own that zone
    if you’re using a private DNS zone, you might want to consider using ACMPA
    c

    crooked-laptop-67565

    2 months ago
    The private zone was a mistake, but thanks for the pointer 🙂 The code I'm using is as follows
    const publicDomainName = `${env}.<http://pyrratech.com|pyrratech.com>`;
    const route53PublicZone = new aws.route53.Zone(name("public"), {
      name: publicDomainName
    });
    
    const acmCertificate = new aws.acm.Certificate(name("certificate"), {
      domainName: `*.${publicDomainName}`,
      validationMethod: "DNS",
    });
    
    // Create domain validation records required to validate the certificate
    const certificateValidation = acmCertificate.domainValidationOptions
      .apply((options) => {
        return options.map((option, index) => {
          return new aws.route53.Record(name(`certValidation-${index}`), {
            allowOverwrite: true,
            name: option.resourceRecordName,
            records: [option.resourceRecordValue],
            ttl: 60,
            type: option.resourceRecordType,
            zoneId: route53PublicZone.zoneId,
          });
        });
      })
      .apply((route53Records) => {
        return new aws.acm.CertificateValidation(name("certificateValidation"), {
          certificateArn: acmCertificate.arn,
          validationRecordFqdns: route53Records.map(
            (exampleRecord) => exampleRecord.fqdn
          ),
        });
      });
    (
    name
    is a helper function for consistent naming, it just prepends
    pulumi-${env}-
    to its argument)
    The problem seems to be that ACM is not validating the DNS record I create. I can't see why yet - it appears correct to me, and when I go through the UI helper it still doesn't validate
    (ACM has a helper button to create the Route53 records)
    Oh I am so dumb... our domain isn't hosted with AWS. Setting the record in Route53 does nothing, it needs to be set in Google Domains probably