fix(DnsValidatedCertificate): add support for subjectAlternativeNames#6516
fix(DnsValidatedCertificate): add support for subjectAlternativeNames#6516touzoku wants to merge 16 commits intoaws:masterfrom touzoku:master
Conversation
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
skinny85
left a comment
There was a problem hiding this comment.
Thanks for the contribution @touzoku !
But I have to say, I don't follow the change here that well. Can you write a short paragraph explaining what needed changing to support SubjectAlternativeNames? From what I can tell, code dealing with them was there already, so I'm not sure what was it that needed changing.
| code: lambda.Code.fromAsset(path.resolve(__dirname, '..', 'lambda-packages', 'dns_validated_certificate_handler', 'lib')), | ||
| handler: 'index.certificateRequestHandler', | ||
| runtime: lambda.Runtime.NODEJS_10_X, | ||
| runtime: lambda.Runtime.NODEJS_12_X, |
There was a problem hiding this comment.
Updated nodejs version to the most recent runtime, since this is the only 10.x function in my stacks now. But yes, irrelevant to the PR, side fix.
There was a problem hiding this comment.
Can you bring it back to NODEJS_10_X then? I will also accept a property that allows you to set it to NODEJS_12_X (but the default should be NODEJS_10_X) 🙂.
| event.ResourceProperties.SubjectAlternativeNames, | ||
| event.ResourceProperties.HostedZoneId, | ||
| event.ResourceProperties.Region, | ||
| event.ResourceProperties.Region |
There was a problem hiding this comment.
Please do not remove this trailing comma.
There was a problem hiding this comment.
@skinny85 I did not! The eslint config in the package did!
| }] | ||
| } | ||
| }; | ||
| }) |
There was a problem hiding this comment.
Can you explain why this change in logic is needed in this PR?
There was a problem hiding this comment.
As @saltman424 mentioned below and as it is pointed out in #4659, current logic only creates a single Route53 validation record and misses creating all other records for subjectAlternativeNames.
...ws-certificatemanager/lambda-packages/dns_validated_certificate_handler/test/handler.test.js
Outdated
Show resolved
Hide resolved
...ws-certificatemanager/lambda-packages/dns_validated_certificate_handler/test/handler.test.js
Outdated
Show resolved
Hide resolved
| describeCertificateFake.resolves({ | ||
| Certificate: { | ||
| CertificateArn: testCertificateArn, | ||
| DomainValidationOptions: [{ |
There was a problem hiding this comment.
Indent this like the following:
DomainValidationOptions: [
{
ValidationStatus: 'SUCCESS',
ResourceRecord: {
Name: testRRName,
Type: 'CNAME',
Value: testRRValue,
},
},
{
ValidationStatus: 'SUCCESS',
ResourceRecord: {
Name: testAltRRName,
Type: 'CNAME',
Value: testAltRRValue,
},
},
],There was a problem hiding this comment.
@skinny85 I have added a rule config to the .eslintrc.json of the lambda-package as follows:
"comma-dangle": ["error", {
"arrays": "always-multiline",
"objects": "always-multiline",
"imports": "never",
"exports": "never",
"functions": "never"
}],
"array-bracket-newline": ["error", {
"multiline": true
}]And ran eslint --fix on both lib/index.js and test/handler.test.js. Let me know if this is what you want. This created a lot of mess, because test/handler.test.js did not follow the convention that you have requested that much....
Let me know if this is what you've wanted. Otherwise, tell me what the eslint config should be.
There was a problem hiding this comment.
I'd rather the .eslintrc.json file not be modified, and to minimize incidental changes to the lambda code not related to the logic changes.
@skinny85 Since I ran into the same issue and had actually also made my own fix, I can give you a quick answer. If you look at lines 110 and 127 - 137 of what is being changed by: Long story short, the implementation before this pull request only added a single validation record for the domainName, not any of the subjectAlternativeNames. Thus, any DnsValidatedCertificates that specified subjectAlternativeNames would fail to deploy because the certificate would never be completely validated. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Once all the requested changes have been addressed, and the PR is ready for another review, remember to dismiss the review. |
Yes, this PR looks quite good, and I really didn't have comments beyond the Feel free to take it over. Unfortunately, I don't think you can update this PR directly, but we can close it after yours is opened. |
|
I figured out why he changed the ~/dev/git/aws/aws-cdk/packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib $ eslint index.js
/Users/rbowen/dev/git/aws/aws-cdk/packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js
39:25 error Unexpected trailing comma comma-dangle
50:46 error Unexpected trailing comma comma-dangle
51:8 error Unexpected trailing comma comma-dangle
95:28 error Unexpected trailing comma comma-dangle
106:53 error Unexpected trailing comma comma-dangle
133:55 error Unexpected trailing comma comma-dangle
134:12 error Unexpected trailing comma comma-dangle
136:9 error Unexpected trailing comma comma-dangle
138:31 error Unexpected trailing comma comma-dangle
146:22 error Unexpected trailing comma comma-dangle
148:34 error Unexpected trailing comma comma-dangle
156:22 error Unexpected trailing comma comma-dangle
158:51 error Unexpected trailing comma comma-dangle
179:28 error Unexpected trailing comma comma-dangle
202:26 error Unexpected trailing comma comma-dangle
✖ 15 problems (15 errors, 0 warnings)
15 errors and 0 warnings potentially fixable with the `--fix` option.It seems to me the changes @touzoku made in Shouldn't the Anyways... new PR incoming! 👍 diff --git b/packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/.eslintrc.json a/packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/.eslintrc.json
index 12a6e88f4..483a623f6 100644
--- b/packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/.eslintrc.json
+++ a/packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/.eslintrc.json
@@ -1,10 +1,20 @@
{
"extends": "standard",
"rules": {
- "semi": ["error", "always"]
+ "semi": ["error", "always"],
+ "comma-dangle": ["error", {
+ "arrays": "always-multiline",
+ "objects": "always-multiline",
+ "imports": "never",
+ "exports": "never",
+ "functions": "never"
+ }],
+ "array-bracket-newline": ["error", {
+ "multiline": true
+ }]
},
"env": {
"jest": true,
"node": true
}
-}
+}
\ No newline at end of file |
Then ignore my comments, and keep the style that passes ESLint :) |
|
I think this PR is obsolete now, somebody else fixed the issue in a different PR. |
Hi @touzoku! The issue isn't fixed yet (at least, for me). I still get an error when I attempt to create a DNS Validated Certificate with too many subject alternative names. Looking at the latest version of the |
|
Looks like CloudFormation natively supports DNS Validation for ACM Certificates now. aws-cloudformation/cloudformation-coverage-roadmap#31 (comment) I think perhaps a better PR at this point would be to add the native CFN support to the L2 Construct :) Gets rid of one more pesky CustomResource and Lambda Function. |
…icate Automatically adding Amazon Route 53 CNAME records for DNS validation is now natively supported by CloudFormation. Add a `validation` prop to `Certificate` to handle both email and DNS validation. Deprecate `DnsValidatedCertificate`. The default remains email validation (non-breaking). Closes aws#5831 Closes aws#5835 Closes aws#6081 Closes aws#6516 Closes aws#7150 Closes aws#7941 Closes aws#7995 Closes aws#7996
…cate Automatically adding Amazon Route 53 CNAME records for DNS validation is now natively supported by CloudFormation. Add a `validation` prop to `Certificate` to handle both email and DNS validation. Deprecate `DnsValidatedCertificate`. The default remains email validation (non-breaking). Closes aws#5831 Closes aws#5835 Closes aws#6081 Closes aws#6516 Closes aws#7150 Closes aws#7941 Closes aws#7995 Closes aws#7996
|
The "native" (a.k.a. CloudFormation) DNS validated certificate totally worked with SAN's and everything, first try, boom! Here's how for anyone looking for a workaround instead of the above import { Certificate } from '@aws-cdk/aws-certificatemanager';
import { HostedZone } from '@aws-cdk/aws-route53';
import { CfnResource, Lazy } from '@aws-cdk/core';
// ... snip
this.hostedZone = HostedZone.fromLookup(this, 'hostedZone', {
domainName: this.envDomainName,
});
this.cfnCertificate = new CfnResource(this, 'cfnCertificate', {
type: 'AWS::CertificateManager::Certificate',
properties: {
DomainName: this.envDomainName,
SubjectAlternativeNames: [`*.${this.envDomainName}`],
ValidationMethod: 'DNS',
DomainValidationOptions: [
{
DomainName: this.envDomainName,
HostedZoneId: this.hostedZone.hostedZoneId,
},
],
},
});
this.tlsCertificate = Certificate.fromCertificateArn(
this,
'certificateArn',
Lazy.stringValue({ produce: () => this.cfnCertificate.ref }),
); |
…cate (#8552) Automatically adding Amazon Route 53 CNAME records for DNS validation is now natively supported by CloudFormation. Add a `validation` prop to `Certificate` to handle both email and DNS validation. `DnsValidatedCertificate` is now only useful for cross-region certificate creation. The default remains email validation (non-breaking). Closes #5831 Closes #5835 Closes #6081 Closes #6516 Closes #7150 Closes #7941 Closes #7995 Closes #7996 Closes #8282 Closes #8659 Closes #8783 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
.eslintrc.jsrules in the first place?)lambda.Runtime.NODEJS_12_Xin packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.tsFixes #4659
cc @skinny85
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license