aws-certificatemanager: Bring back/keep DnsValidatedCertificate #26714

guentherwieser · 2023-08-10T21:59:38Z

Describe the feature

DnsValidatedCertificate has been marked deprecated. The recommended solution is to use Certificate, and provide/use a CertificateValidation implementation. Unfortunately, when using certificates in another region, there is no smooth transition for DnsValidatedCertificates when e.g. the domain name is built using a value from a parameter store of another region.

Also, we cannot use the output of the core stack to feed the domain name value into the certificate stack (this is a recommended solution for many use cases), as we would create a circular reference - we simply need the certificate in the core stack (CloudFront, API Gateway, etc.).

Example: core deployment happens to eu-central-1, for CloudFront the certificate has to go to us-east-1. The domain name to use is built partly from a parameter store value in eu-central-1. When creating a dedicated stack for the certificate, during synth it will fail with

Error: Stack "XXXStack" cannot reference {YYYStack/SsmParameterValue:<some-ref>.Parameter[Ref]} in stack "YYYStack". Cross stack references are only supported for stacks deployed to the same account or between nested stacks and their parent stack

Maybe I'm missing something important here, but I don't see how one will be able to create a Certificate with a domain name where parts of the domain name come from Parameter Store values from another region. Thus, a migration path away from DnsValidatedCertificate does not exist.

Use Case

Create Certificate in one region with dependencies to values from another region.

Proposed Solution

Either keep DnsValidatedCertificate, provide a "region" property on Certificate that is independent from the Stack it is bound to, or provide other means to cross-reference parameter store values from another region.

Other Information

No response

Acknowledgements

I may be able to implement this feature request
This feature might incur a breaking change

CDK version used

2.87.0

Environment details (OS name and version, etc.)

MacOS, Linux, Windows

The text was updated successfully, but these errors were encountered:

peterwoodworth · 2023-08-11T22:54:32Z

See #25343

github-actions · 2023-08-11T22:54:52Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

guentherwieser added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Aug 10, 2023

github-actions bot added the @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager label Aug 10, 2023

peterwoodworth added duplicate This issue is a duplicate. and removed needs-triage This issue or PR still needs to be triaged. labels Aug 11, 2023

peterwoodworth closed this as completed Aug 11, 2023

guentherwieser mentioned this issue Aug 15, 2023

aws-certificatemanager: Support construct to create Certificate from any region, similar to EdgeFunction #25343

Open

2 tasks

github-actions bot mentioned this issue Sep 1, 2023

Monthly PRs metrics report #26964

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws-certificatemanager: Bring back/keep DnsValidatedCertificate #26714

aws-certificatemanager: Bring back/keep DnsValidatedCertificate #26714

guentherwieser commented Aug 10, 2023

peterwoodworth commented Aug 11, 2023

github-actions bot commented Aug 11, 2023