aws-certificatemanager: DnsValidatedCertificate does not work with multi-zone dns validation
See original GitHub issueDescribe the bug
When requesting a certificate and specifying Subject Alternative Names spanning over multiple Route53 HostedZones and providing a mapping between hostname and hostedzone with CertificateValidation.FromDnsMultiZone, the certificate requestor tries to add validation entries into the hosted zone provided on the DnsValidatedCertificate only
Expected Behavior
DnsValidatedCertificate should use the mappings between name and hosted zone provided in the FromDnsMultiZone mapping
Current Behavior
The custom resource returns the following message during deployment:
Received response status [FAILED] from custom resource. Message returned: [RRSet with DNS name _omitted.example.com. is not permitted in zone another.com.]
Reproduction Steps
Example stack (Python)
from aws_cdk import (
Stack,
aws_route53 as route53,
aws_certificatemanager as acm,
)
from constructs import Construct
class DnsValidationStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
example_zone = route53.HostedZone.from_hosted_zone_attributes(
self, "ExampleZone", hosted_zone_id="AAAAAAAA1111", zone_name="example.com"
)
another_zone = route53.HostedZone.from_hosted_zone_attributes(
self, "AnotherZone", hosted_zone_id="BBBBBBBB2222", zone_name="another.com"
)
third_zone = route53.HostedZone.from_hosted_zone_attributes(
self, "ThirdZone", hosted_zone_id="CCCCCCCCC3333", zone_name="third.com"
)
acm.DnsValidatedCertificate(
self,
"SANCertificate",
domain_name="test.example.com",
hosted_zone=example_zone,
subject_alternative_names=["test.another.com", "test.third.com"],
validation=acm.CertificateValidation.from_dns_multi_zone(
{"test.example.com": example_zone, "test.another.com": another_zone, "test.third.com": third_zone}
),
)
Possible Solution
The CertificateValidator provided in ICertificate should be used in DnsValidatedCertificate to build the mapping between and passed into the custom resource.
Currently, only subjectAlternativeNames is the input here: https://github.com/aws/aws-cdk/blob/4537b3fc1b726dd8cbaadd0c52c35b6f31328e3d/packages/%40aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js#L94
The mappings generated from CertificateValidator should be passed to the creatorlambda in addition to this: https://github.com/aws/aws-cdk/blob/4537b3fc1b726dd8cbaadd0c52c35b6f31328e3d/packages/%40aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts#L123
Additional Information/Context
No response
CDK CLI Version
2.27.0
Framework Version
No response
Node.js Version
v16.13.2
OS
Windows/Linux
Language
Typescript, Python
Language Version
Any
Other information
No response
Issue Analytics
- State:
- Created a year ago
- Reactions:14
- Comments:5 (1 by maintainers)
Top GitHub Comments
@NGL321 Are there any updates on this? Just ran into this problem.
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.