Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(certificatemanager): native CloudFormation DNS validated certificate #8552

Merged
merged 16 commits into from
Jul 10, 2020

Conversation

jogold
Copy link
Contributor

@jogold jogold commented Jun 15, 2020

Automatically adding Amazon Route 53 CNAME records for DNS validation is
now natively supported by CloudFormation.

Add a validation prop to Certificate to handle both email and DNS
validation. DnsValidatedCertificate is now only useful for cross-region
certificate creation.

The default remains email validation (non-breaking).

Closes #5831
Closes #5835
Closes #6081
Closes #6516
Closes #7150
Closes #7941
Closes #7995
Closes #7996
Closes #8282
Closes #8659
Closes #8783


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

jogold added 2 commits June 15, 2020 21:07
…cate

Automatically adding Amazon Route 53 CNAME records for DNS validation is
now natively supported by CloudFormation.

Add a `validation` prop to `Certificate` to handle both email and DNS
validation. Deprecate `DnsValidatedCertificate`.

The default remains email validation (non-breaking).

Closes aws#5831
Closes aws#5835
Closes aws#6081
Closes aws#6516
Closes aws#7150
Closes aws#7941
Closes aws#7995
Closes aws#7996
@jogold
Copy link
Contributor Author

jogold commented Jun 15, 2020

What should be done here?

const redirectCertArn = props.certificate ? props.certificate.certificateArn : new DnsValidatedCertificate(this, 'RedirectCertificate', {
domainName: domainNames[0],
subjectAlternativeNames: domainNames,
hostedZone: props.zone,
region: 'us-east-1',
}).certificateArn;

If we replace DnsValidatedCertificate with Certificate the construct will now only work if deployed in us-est-1.

See also aws-cloudformation/cloudformation-coverage-roadmap#523

@AlexCheema
Copy link
Contributor

AlexCheema commented Jun 19, 2020

Any news on this? Recently a lot of DnsValidatedCertificate resources have been failing to deploy for us. Would be great to replace it with the native Cloudformation version.

```ts
new Certificate(this, 'Certificate', {
domainName: 'hello.example.com',
validation: CertificateValidation.fromDns(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like the README here should call out the same warning from the fromDns documentation about needing to manually add the DNS records before CloudFormation can succeed. Might even be worth having the Route53 example first (as the thing people are most likely to copy/paste and use), and then call out the outside-DNS example with the warning about the need for manual intervention.

Comment on lines 56 to 57
* @deprecated use the `validation` prop with `CertificateValidation.fromDns()`
* on `Certificate`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Counter-argument -- this custom resource-based approach allows for cross-region cert creation, which the native CloudFormation support doesn't allow (AFAIK). It might be worth not deprecating it, and noting this use case in the README. What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. For information, it's in the CF roadmap aws-cloudformation/cloudformation-coverage-roadmap#523.

This also solves my question here #8552 (comment)

* @param hostedZone the default hosted zone to use for all domains in the certificate
* @param hostedZones a map of hosted zones to use for domains in the certificate
*/
public static fromDns(hostedZone?: route53.IHostedZone, hostedZones?: { [domainName: string]: route53.IHostedZone }) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm trying to think of a better way to do this interface. As-is, it's not clear how to use it -- if I need to provide the hostedZones map, do I also need to provide the hostedZone? If so, does it matter which is the "main" zone and which appears in the map? One other thought -- domain names to hosted zones are N:1; you may have 10 domain names with two top-level hosted zones; flipping the map around may be slightly more usable for some customers (I don't have the data to back that up off-hand though).

Maybe breaking this into two would alleviate some of the problems:

public static fromDns(hostedZone?: route53.IHostedZone) {...}
public static fromDnsMultiZone(hostedZoneMap: { [domainName: string]: route53.IHostedZone) {...}

Open to better naming and disagreements.

Comment on lines +65 to +68
Use the `DnsValidatedCertificate` construct for cross-region certificate creation:

```ts
new DnsValidatedCertificate(this, 'CrossRegionCertificate', {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do:

export class CrossRegionDnsValidatedCertificate extends DnsValidatedCertificate {
  constructor(scope: cdk.Construct, id: string, props: DnsValidatedCertificateProps) {
    super(scope, id, props);
  }
}

to get a better naming?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it's worth it, especially considering cross-region support is on the roadmap for CloudFormation. Let's just leave it as-is and deprecate it once we can.

@@ -1,26 +0,0 @@
import * as route53 from '@aws-cdk/aws-route53';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you un-delete this file, given we are not (yet) deprecating the DnsValidatedCertificate?

njlynch
njlynch previously approved these changes Jul 10, 2020
@mergify mergify bot dismissed njlynch’s stale review July 10, 2020 08:35

Pull request has been modified.

@jogold
Copy link
Contributor Author

jogold commented Jul 10, 2020

mergify bot dismissed njlynch’s stale review 2 minutes ago
Pull request has been modified.

@njlynch can you re-approve?

@mergify
Copy link
Contributor

mergify bot commented Jul 10, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 8b9d7cb
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Jul 10, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment