Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudfront: Route53 cname record not removed on stack deletion #7

Open
CompuGlobalHyperMegaNet-VP opened this issue Aug 19, 2019 · 12 comments
Open

Cloudfront: Route53 cname record not removed on stack deletion #7

CompuGlobalHyperMegaNet-VP opened this issue Aug 19, 2019 · 12 comments
Labels
enhancement New feature or request

Comments

@CompuGlobalHyperMegaNet-VP
Copy link

Hi,

using the sample code from cloudformation.yaml (version 1.7.1), generating a domain validated cert in ACM with an Route53 zone works fine. However, when the CF stack is removed, the ACM certificate is removed as expected, but the CNAME record used for initial domain validation remains in the Route53 hosted zone. Is this an intentional behavior or it that use case not covered as of yet? Or should that work, and I somehow missed something?
I could provide an CF stack and/or logfiles, if required.

Thanks in advance, and thanks providing this very useful module sample.

BR.
@dflook
Copy link
Owner

dflook commented Aug 19, 2019

Hi, thanks for creating an issue.

This is expected behaviour. I've observed ACM use the same validation record for identical but distinct Certificates. This makes it difficult to delete the records along with the certificate, as I can't be sure they aren't being used by another Certificate.

I'll leave this issue open while I check this is still the case.

@dflook
Copy link
Owner

dflook commented Aug 19, 2019
edited
Loading

I've just created a duplicate of an existing certificate using this custom resource, and ACM used the same validation record.

If the resource deleted the record when the certificate was deleted, the remaining certificate would fail to renew. I don't believe this behaviour can be safely implemented 😬

Is this required for your use case?

@dflook dflook closed this as completed Aug 19, 2019
@CompuGlobalHyperMegaNet-VP
Copy link
Author

CompuGlobalHyperMegaNet-VP commented Aug 20, 2019
edited
Loading

First, thank you for investigating that issue.

Is this required for your use case?

From a maintenance point of view, it would be desirable to avoid piling up deprecated CNAME records if there are no matching certificates left. It would be interesting to understand under which circumstances the same validation record is used for multiple certificates in ACM. As you created an duplicate of an existing certificate, it seems somehow understandable that they use the same validation record. However, I was not able to reproduce that with certs for different hosts/subdomains. Do you have additional insights here? If only multiple certs for the same domain are affected, one could image a check for the existence of other certs with the same subject, and if there are none delete the validation record as well?

Edit: Checked the AWS documentation.

https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html

  • Structure of generated validation record: The values are long random strings generated by ACM, so it's not a hash or something one can derive programmatically.

  • This seems to describe the behavior you observed:
    You can request additional ACM Certificates for your FQDN for as long as the DNS record remains in place. That is, you can create multiple certificates that have the same domain name. You do not need to get a new CNAME record.

  • Another case would be this particular example, where the validation record is the same for two "different" domains: ...the random string created by ACM for the wildcard name *.example.com is the same as that created for the base domain name example.com.

Assuming these two are the only exceptions from the rule, maybe it's possible to consider an improvement covering them, and otherwise delete the validation record.

Anyway, thanks for your time and the effort you put it here.

@dflook
Copy link
Owner

dflook commented Aug 20, 2019

I'm going to think about this a bit more :)

@dflook dflook reopened this Aug 20, 2019
@dflook dflook added the enhancement New feature or request label Aug 20, 2019
@gfodor
Copy link

gfodor commented Apr 7, 2020
edited
Loading

Thanks for this info - probably worthy of an option (off by default), for CF stacks for which it's known they are the exclusive thing managing the domain/SSL.

@gfodor
Copy link

gfodor commented Apr 7, 2020

the issue we've been hitting with this is that if you re-create a stack on the same domain and ACM chooses the same validator record, the step fails. so an alternative would be to ignore duplicate records.

@dflook
Copy link
Owner

dflook commented Apr 7, 2020
edited
Loading

Hi @gfodor, re-creating the same certificate should not fail and is a defect. Can you create another issue to describe what you've seen?

@gfodor
Copy link

gfodor commented Apr 7, 2020 via email

@jeff1evesque
Copy link

It's kind of hilarious - I opened a ticket with AWS about this feature. And they sent me a link to this GitHub repository:

I was also able to get an open GitHUb issue where the users have discussed about different use cases where the automatic deletion of the DNS validation records will be an issue. Please check and let me know if you have any questions.

#7

For now, I am going to resolve this case as the time frame is not guaranteed and usually will not be shared with the AWS Premium Support teams.

What in the world is this repository and issue going to do for me - magically fix the internal AWS infrastructure? Is this even an AWS codebase?

@dflook
Copy link
Owner

dflook commented Oct 2, 2020

@jeff1evesque I can confirm this is not an AWS codebase 😂.

This cloudformation resource pre-dates the ability for the AWS::CertificateManager::Certificate to do DNS validation.
It is still useful for cross-region certificates and cross-account validation, but won't help with removing unused validation records.

@linford-bacon
Copy link

I really can't see how this could possibly be described as 'working as intended'.

I have a CDK stack that provisions a Route53 hosted zone as a subdomain which is used solely routing to the stacks resources. When I create certificates, I use DNS validation against my newly created hosted zone.

This all works fine on creation, but rollback and destroy are BROKEN!

The stack can never roll-back correctly because the route53 hosted zone can never be deleted. Instead, the stack ends up in a broken state that requires manual intervention.

I think that what I am describing is a pretty standard way to use hosted zones through route53. As things stand it feels like the only options are:

  1. Manually setup and teardown hosted zones (i.e. they are just not supported by CDK/CloudFormation)
  2. Accept that all automated rollbacks/destroys won't work (i.e. essentially that CDK does not support CI/CD)

@linford-bacon
Copy link

Just as an update the functionality requested in this issue is actually available using acm.DnsValidatedCertificate via the cleanup_route53_records = True option. But not on the standard Certificate construct.

However, I understand that DnsValidatedCertificate is being deprecated in favour of Certificate, despite the latter not supporting the cleanup_route53_records or region options, making it essentially useless...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gfodor @dflook @jeff1evesque @CompuGlobalHyperMegaNet-VP @linford-bacon