certificatemanager: Route 53 records not cleaned up after removing DNS Validated Certificate

[rubenfonseca]

• I'm submitting a ...

  • 🪲 bug report
  • 🚀 feature request
  • 📚 construct library gap
  • ☎️ security issue or vulnerability => Please see policy
  • ❓ support request => Please see note at the top of this template.

• What is the current behavior?

Following this code:

const zone = new route53.HostedZone(this, 'zone', { zoneName: 'bar.com' })

new certificateManager.DnsValidatedCertificate(this, 'cert', {
  hostedZone: zone,
  domainName: `foo.bar.com`,
})

An ACM certificate is created and validated via DNS. However, when you destroy the stack, it fails with the following error (Service: AmazonRoute53; Status Code: 400; Error Code : HostedZoneNotEmpty ...

• What is the expected behavior (or behavior of feature suggested)?

The stack was destroyed cleanly.

• What is the motivation / use case for changing the behavior or adding this feature?

A stack created by CDK should naturally be destroyable. Checking the lambda resource that handles the validation, I can see that when the resource is destroyed, no attempt is made to clean up the route53 record. This explains why it fails.

• Please tell us about your environment:

  • CDK CLI Version: 1.0.0
  • Module Version: 1.0.0
  • OS: [all]
  • Language: [TypeScript ]

[jimfum]

What's the state of this issue now? In my case, the cdk destroy command finishes without an error but still the certificate isn't removed.