ACM waitFor certificateValidated returns immediately

[winsome]

Confirm by changing [ ] to [x] below:

• I've gone though Developer Guide and API reference
• I've checked AWS Forums and StackOverflow for answers

Using the ACM client, I'm trying to wait for the certificateValidated state on a given certificate ARN using the following code in a lambda as part of a CloudFormation stack Custom resource. Occasionally, it returns immediately (~1 sec) while the certificate is still in the PENDING_VALIDATION state.

const acmClient = new AWS.ACM({ region: event.ResourceProperties.Region });
console.log(JSON.stringify(event));
if (event.RequestType !== 'Create') {
    return cfnresponse.send(event, context, cfnresponse.SUCCESS);
} else {
    var params = {
        CertificateArn: event.ResourceProperties.CertificateArn
    };
    acmClient.waitFor('certificateValidated', params).promise()
    .then(waitResult => {
        console.log('waitResult:', JSON.stringify(waitResult));
        let cert = waitResult.Certificate;
        if (cert.Status !== 'ISSUED') {
            return cfnresponse.send(event, context, cfnresponse.FAILED, { error: `Certificate was not validated. Current status is ${cert.Status}`, cert: cert });
        } else {
            return cfnresponse.send(event, context, cfnresponse.SUCCESS, { cert: cert});
        }            
    })
    .catch(waitError => {
        console.log('waitError:', JSON.stringify(waitError));
        return cfnresponse.send(event, context, cfnresponse.FAILED, waitError);
    });
}

An example of the event lambda receives from a failure I just encountered:

2019-10-23T21:33:37.252Z	07ffb03b-0dfa-452b-9e05-371ba323dc6c
{
    "RequestType": "Create",
    "ServiceToken": "arn:aws:lambda:us-west-2:<obfuscated>:function:<obfuscated>-CertValidator",
    "ResponseURL": "https://cloudformation-custom-resource-response-uswest2.s3-us-west-2.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-west-2%3A[obfuscated]%3Astack/[obfuscated]-1W8LPBD4ZCRT/8de276b0-f5dc-11e9-af49-0236211bab6e%7CWaitForValidCertificateForHostedZone%7Cb95a55e0-00a6-4a1c-9302-363d041d4c21?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20191023T213336Z&X-Amz-SignedHeaders=host&X-Amz-Expires=7199&X-Amz-Credential=AKIA54RCMT6SHY2I5CMZ%2F20191023%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Signature=d6bd4fa9edd2e4b7009a5c8707e43470bd48e618cb5a02e0ad2ac679a15d5f8e",
    "StackId": "arn:aws:cloudformation:us-west-2:[obfuscated]:stack/[obfuscated]AcmCertificate-1W8LPBD4ZCRT/8de276b0-f5dc-11e9-af49-0236211bab6e",
    "RequestId": "b95a55e0-00a6-4a1c-9302-363d041d4c21",
    "LogicalResourceId": "WaitForValidCertificateForHostedZone",
    "ResourceType": "Custom::LambdaCallout",
    "ResourceProperties": {
        "ServiceToken": "arn:aws:lambda:us-west-2:[obfuscated]:function:[obfuscated]-CertValidator",
        "Region": "us-west-2",
        "CertificateArn": "arn:aws:acm:us-west-2:[obfuscated]:certificate/00b26daa-f464-443b-8af6-ebfcb855907b"
    }
}

The result returned from the waitFor call:

2019-10-23T21:33:38.375Z	07ffb03b-0dfa-452b-9e05-371ba323dc6c	waitResult:
{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:us-west-2:[obfuscated]:certificate/00b26daa-f464-443b-8af6-ebfcb855907b",
        "DomainName": "[obfuscated]",
        "SubjectAlternativeNames": [
            "[obfuscated]",
            "*.[obfuscated]"
        ],
        "DomainValidationOptions": [
            {
                "DomainName": "[obfuscated]",
                "ValidationDomain": "[obfuscated]",
                "ValidationStatus": "SUCCESS",
                "ResourceRecord": {
                    "Name": "_611336d087f8ceff5ad8583773697bc9.[obfuscated].",
                    "Type": "CNAME",
                    "Value": "_a34453bba04e43998f4e98a351f2c686.olprtlswtu.acm-validations.aws."
                },
                "ValidationMethod": "DNS"
            },
            {
                "DomainName": "*.[obfuscated]",
                "ValidationDomain": "*.[obfuscated]",
                "ValidationStatus": "SUCCESS",
                "ResourceRecord": {
                    "Name": "_611336d087f8ceff5ad8583773697bc9.[obfuscated].",
                    "Type": "CNAME",
                    "Value": "_a34453bba04e43998f4e98a351f2c686.olprtlswtu.acm-validations.aws."
                },
                "ValidationMethod": "DNS"
            }
        ],
        "Subject": "CN=[obfuscated]",
        "Issuer": "Amazon",
        "CreatedAt": "2019-10-23T21:32:34.000Z",
        "Status": "PENDING_VALIDATION",
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [],
        "Type": "AMAZON_ISSUED",
        "KeyUsages": [],
        "ExtendedKeyUsages": [],
        "RenewalEligibility": "INELIGIBLE",
        "Options": {
            "CertificateTransparencyLoggingPreference": "ENABLED"
        }
    }
}

Looking for some guidance on what may be causing this. There is a delay between the creation of the ACM Cert and calling waitFor, so I'm confident it's not that the resource isn't ready to be waited on.

[ajredniwja]

Hey @winsome, apologies for a delayed reply here, can you please get me the SDK version you are on and I can try to reproduce it.

[github-actions]

Greetings! We’re closing this issue because it has been open a long time and hasn’t been updated in a while and may not be getting the attention it deserves. We encourage you to check if this is still an issue in the latest release and if you find that this is still a problem, please feel free to comment or open a new issue.