Issue with ACM Certs and Route53 in cdktf

JohnPangalos · March 19, 2021, 7:06pm

Hey,

I have been trying to create a ACM Cert and use the domain validation options to create the route53 configuration but I’m getting this error:

Error: Invalid index

  on cdk.tf.json line 91, in resource.aws_route53_record.fresh-paint-dns-record:
  91:         "type": "${aws_acm_certificate.fresh-paint-cert.domain_validation_options.0.resource_record_type}",

This value does not have any indices.

I’m using the typescript cdk and have created this function:

export function createCertAndRecord(
  scope: Construct,
  provider: AwsProvider,
  domainName: string,
  zoneId: string
) {
  const cert = new AcmCertificate(scope, "cert", {
    provider,
    domainName,
    validationMethod: "DNS",
    lifecycle: {
      createBeforeDestroy: true,
    },
  });

  const { fqdn } = new Route53Record(scope, "dns-record", {
    allowOverwrite: true,
    name: cert.domainValidationOptions("0").resourceRecordName,
    type: cert.domainValidationOptions("0").resourceRecordType,
    records: [cert.domainValidationOptions("0").resourceRecordValue],
    zoneId,
    ttl: 300,
  });

  new AcmCertificateValidation(scope, "cert-validation", {
    provider,
    certificateArn: cert.arn,
    validationRecordFqdns: [fqdn],
  });

  return cert;
}

Other than the life cycle it seems to be very similar to this example.

Here are the versions of cdktf and the aws provider that I’m using (I get the same error with the generated version.)

@cdktf/provider-aws: 1.0.28
cdktf 0.2.0

Any help with this would be greatly appreciated.

jsteinich · March 19, 2021, 11:17pm

Support for this is a bit sub-par at this time, but take a look at this issue for some workarounds.

djsd123 · July 22, 2021, 10:53am

Can anyone elaborate on what the workaround is? I looked at the issue referenced by @jsteinich and I’m scratching my head

I’m trying to include SANs in my validation process

        const orgCertificate = new AcmCertificate(this, 'org-certificate', {
            domainName: orgZone.name,
            validationMethod: 'DNS',

            subjectAlternativeNames: args.SANs,

            lifecycle: {
                createBeforeDestroy: true
            }
        })
        
        let namesIndex = (orgCertificate.subjectAlternativeNames.length + 1)
        let validationRecords: string[] = []

        for (let i = 0; i < namesIndex; i++) {
            let currentIndex = i.toString()
            validationRecords.push(
                new Route53Record(this, `org-validation-options-${currentIndex}`, {
                    name: orgCertificate.domainValidationOptions(currentIndex).resourceRecordName,
                    type: orgCertificate.domainValidationOptions(currentIndex).resourceRecordType,
                    zoneId: orgZone.zoneId,
                    ttl: 60,
                    records: [ orgCertificate.domainValidationOptions(currentIndex).resourceRecordValue ],
                    allowOverwrite: true
                }).fqdn
            )
        }

        new AcmCertificateValidation(this, 'org-certificate-validation', {
            certificateArn: orgCertificate.arn,
            validationRecordFqdns: validationRecords
        })

jsteinich · July 23, 2021, 10:31pm

You can’t actually iterate over the certificate’s properties since they aren’t actually known until the infrastructure is being deployed.
This comment is doing what I believe you are trying to accomplish.