1

I've recently started to get into AWS CloudFormation, specifically CDK.

I first added a domain manually from the Management Console to Route 53. Then, I copied the NS records that AWS picked to my domain provider. I've also made a certificate on the ACM using the DNS-recommended verification. It took AWS a while to issue it, as my domain provider mentioned that the DNS updates happen at fixed times every day (4 times a day), so the Route 53 zone NS records were not pointed out yet. The next day, the certificate was issued.

I then decided to recreate everything, but this time using CDK only. It worked fine the first time I deployed it, but then I realized I hadn't removed the older entities of my domain, and as a result, I had two different certificates and Route 53 zones of my domain. I deleted the manually created entities and my stack so I could redeploy it.

The problem is, this time, the CDK deployment was stuck on the CertificateManager part:

[█████████████████████████████████████████████·············] (14/18)

5:14:03 PM | CREATE_IN_PROGRESS   | AWS::CloudFormation::Stack           | TestApiStack
5:15:30 PM | CREATE_IN_PROGRESS   | AWS::CertificateManager::Certificate | TestApiCertificate

Code:

const domainName = 'test.com';
    
// Define Route53
const zone = new cdk.aws_route53.HostedZone(this, 'TestApiHostedZone', {
  zoneName: domainName,
});
    
// Define certificate manager
const certificate = new cdk.aws_certificatemanager.Certificate(this, 'TestApiCertificate', {
  domainName: domainName,
  validation: cdk.aws_certificatemanager.CertificateValidation.fromDns(zone),
});

I assume that AWS waits for the certificate to be verified, while this will never happen due to the new random NS records of the freshly generated Route 53 zone.

What is the best way to approach this problem, assuming this is the case? Is it to edit the NS records to those my domain provider already points? Or create the Route 53 zone manually from the Console, point to the new NS server from my domain provider, and then use the existing domain (cdk.aws_route53.HostedZone.fromLookup)?

gshpychka
  • 8,523
  • 1
  • 11
  • 31
Aviv Dolev
  • 140
  • 3
  • 14
  • 1
    If you were to register the domain with AWS (and maybe if you transferred there) you would have a Route 53 zone automatically created. So saying the zone is not part of cdk, is not too bad. The hosted zone ID can be passed as a stack parameter. If you want the zone in the stack it's just a question of order of operations. you can use a Condition to disable the certificate (and everything that depends on it) on the first pass of the stack, then update the DNS provider's records, then turn back on the certificate. Hosted zones have enough settings that I'd choose the latter option. – erik258 Jan 27 '23 at 16:49
  • @erik258 Good points, I will try the second one. Thanks for the helpful advice. – Aviv Dolev Jan 27 '23 at 17:12

0 Answers0