Hi I m having trouble creating an `aws acm CertificateValida Pulumi Community #general

Hi, I'm having trouble creating an `aws:acm:Certif...

crooked-laptop-67565

07/22/2022, 12:43 AM

Hi, I'm having trouble creating an

aws:acm:CertificateValidation

. It just never completes. I've let

pulumi up

run for up to 30m and it's just sat there saying "creating". I can't see any open Github issues about this problem. I've tried running with the debug flag, but I don't understand the output. Does anyone have any suggestions?

billowy-army-68599

07/22/2022, 1:01 AM

I just did this myself, can you share your code?

crooked-laptop-67565

07/22/2022, 1:03 AM

Sure, just give me a few minutes, I think my problem might be that the Route53 zone that I was trying to get a certificate for was private

crooked-laptop-67565

07/22/2022, 1:03 AM

I'm not 100% sure but I think this might only work for public zones?

crooked-laptop-67565

07/22/2022, 1:04 AM

I think the "creating" status in Pulumi is reflecting the "pending validation" status in the Cert Manager console. If I understand the docs correctly this isn't a real resource (AWS doesn't have a thing called "Certificate Validation" that can be created) but more of a way to have Pulumi block parts of a deployment that depend on the validation until it has succeeded?

billowy-army-68599

07/22/2022, 1:24 AM

yes you can’t validate an ACM with a private zone, because an external service has to query your DNS domain to get a valid response to ensure you actually own that zone

billowy-army-68599

07/22/2022, 1:25 AM

if you’re using a private DNS zone, you might want to consider using ACMPA

crooked-laptop-67565

07/22/2022, 1:51 AM

The private zone was a mistake, but thanks for the pointer 🙂 The code I'm using is as follows

crooked-laptop-67565

07/22/2022, 1:51 AM

Copy code

const publicDomainName = `${env}.<http://pyrratech.com|pyrratech.com>`;
const route53PublicZone = new aws.route53.Zone(name("public"), {
  name: publicDomainName
});

const acmCertificate = new aws.acm.Certificate(name("certificate"), {
  domainName: `*.${publicDomainName}`,
  validationMethod: "DNS",
});

// Create domain validation records required to validate the certificate
const certificateValidation = acmCertificate.domainValidationOptions
  .apply((options) => {
    return options.map((option, index) => {
      return new aws.route53.Record(name(`certValidation-${index}`), {
        allowOverwrite: true,
        name: option.resourceRecordName,
        records: [option.resourceRecordValue],
        ttl: 60,
        type: option.resourceRecordType,
        zoneId: route53PublicZone.zoneId,
      });
    });
  })
  .apply((route53Records) => {
    return new aws.acm.CertificateValidation(name("certificateValidation"), {
      certificateArn: acmCertificate.arn,
      validationRecordFqdns: route53Records.map(
        (exampleRecord) => exampleRecord.fqdn
      ),
    });
  });

crooked-laptop-67565

07/22/2022, 1:53 AM

(

name

is a helper function for consistent naming, it just prepends

pulumi-${env}-

to its argument)

crooked-laptop-67565

07/22/2022, 1:54 AM

The problem seems to be that ACM is not validating the DNS record I create. I can't see why yet - it appears correct to me, and when I go through the UI helper it still doesn't validate

crooked-laptop-67565

07/22/2022, 1:54 AM

(ACM has a helper button to create the Route53 records)

crooked-laptop-67565

07/22/2022, 1:59 AM

Oh I am so dumb... our domain isn't hosted with AWS. Setting the record in Route53 does nothing, it needs to be set in Google Domains probably

☝️ 1

4 Views

Open in Slack

Previous Next