Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Docs should warn about ACM yearly certificate limit
See original GitHub issueI do have fully automated pipelines that provision app stack including all required resources. The stack fails to deploy after a few destroy/deploy iterations:
Error: you have reached your limit of 20 certificates in the last year.
The failure is caused by
import * as acm from '@aws-cdk/aws-certificatemanager'
const cert = new acm.DnsValidatedCertificate(this, 'Cert', { domainName, hostedZone })
The error appears despite a fact that I don’t have any certificates on my account. It seems that AWS CDK consumes Certificate Request limit which is not decreased when stack is released. You can only resolve this by requesting increase of the limit via support centre. However, the hard quota limit is 1000 per account.
This implies that automation of certificates provision is not really an option for teams who does few deployments per days.
It would be extremely helpful to
- mention in the documentation of the package about limits
- advices how to overcome such limitations
- best practice of automated certificate provision
Environment
- CLI Version : 1.21.1
- Framework Version:
- OS : MacOS
- Language : TypeScript
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 4 years ago
- Reactions:23
- Comments:35 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I have the same issue as described by @fogfish . Using DnsValidatedCertificate and happily destroying and rebuilding environments in our DEV account - which is new and hasn’t been used for anything else yet.
So yeah, after 20 times of deleting and creating new certificates, I bumped into the same error. My service quota is set to the default value - 2000.
The issue on AWS’s side here - either an undocumented, invisible limit or the service-quota isn’t respected I filed a support request. Unfortunately, the DEV account is on basic support plan. it might never be addressed.
I’m not keen on reproducing this on a PROD account with a premium support plan just for the sake of filing in a request with some support SLA.
It’s sad because the POC for our CI/CD strategy with CDK worked well so far - we effortlessly spin up a new dedicated environment when PRs are opened and destroy them again when PR is merged.
Thanks, nice article @fogfish .
In the meantime, AWS support fixed my issue by setting the quota to 2000 (which actually should be the default). The assumption that the default quota of 2000 is not used was true.
Under the lines, I got the following response: “[…] However please be noted that new AWS accounts may start with a quota lower than the default value[…]”.
I gave the feedback that I’m not necessarily against newer account having further limitations, but then it should be visibile in the service quota console, at least. Also, it would be even better if the restriction is lifted when the account joins an older AWS organization (it’s been a decade!).
Thanks for the nice article @fogfish . We’ll probably use a wildcard certificate once we come near the limit of 2000. Because our AWS accounts are per team and environment, I’d say that staying under 2000 cert requests per year is doable. We build up a temporary environment when PRs are opened, and destroy it when it’s merged. I guess It would take a lot to reach 2000 PRs in a year.