You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
CDK does not have a built in construct to manage cross-region or cross-account DNS validated certificates. There's anattempt to work around the issue with a cross region references option for stacks, but it has a lot of issues and stilldoes not solve the cross-account use case.
This construct solves these problems by managing the certificate as a custom resource and with direct API calls to ACMand Route53. In the future it will be possible to support not only Route53, but other DNS services too.
Usage for cross-region validation
// hosted zone managed by the CDK applicationconsthostedZone:route53.IHostedZone= ...// no separate validation role is neededconstcertificate=newDnsValidatedCertificate(this,'CrossRegionCertificate',{hostedZone:hostedZone,domainName:'example.com',// must be compatible with the hosted zonecertificateRegion:'us-east-1'// used by for example CloudFront})
Usage for cross-account validation
// external hosted zoneconsthostedZone:route53.IHostedZone=route53.HostedZone.fromHostedZoneAttributes(this,'HostedZone',{hostedZoneId:'Z532DGDEDFS123456789',zoneName:'example.com',})// validation role on the same account as the hosted zoneconstroleArn='arn:aws:iam::123456789:role/ChangeDnsRecordsRole'constexternalId='domain-assume'constvalidationRole:iam.IRole=iam.Role.fromRoleArn(this,'ValidationRole',roleArn)constcertificate=newDnsValidatedCertificate(this,'CrossAccountCertificate',{hostedZone:hostedZone,domainName:'example.com',validationRole:validationRole,validationExternalId:externalId,})
Usage for cross-account alternative names validation
// example.com is validated on same account against managed hosted zone// and secondary.com is validated against external hosted zone on other accountconsthostedZoneForMain:route53.IHostedZone= ...consthostedZoneForAlternative:route53.IHostedZone=route53.HostedZone.fromHostedZoneAttributes(this,'SecondaryHostedZone',{hostedZoneId:'Z532DGDEDFS123456789',zoneName:'secondary.com'})constcertificate=newDnsValidatedCertificate(this,'CrossAccountCertificate',{domainName:'example.com',alternativeDomainNames:['secondary.com'],validationHostedZones:[{hostedZone:hostedZoneForMain},{hostedZone:hostedZoneForAlternative,validationRole:iam.Role.fromRoleArn(this,'SecondaryValidationRole','arn:aws:iam::123456789:role/ChangeDnsRecordsRole'),validationExternalId:'domain-assume'}]})
About
CDK construct that allows cross region and cross account certificate validation