AWS CDK Python - Certificate Manager DNS Validation with Route53

Question

I have been trying to set up DNS Certificate Validation using CDK in Python.

My code looks like this:

class ApiService(core.Construct):
  def __init__(self, scope: core.Construct, id: str, env: str) -> None:
# set up hosted zone for existing Domain in Route53
    hosted_zone = aws_route53.HostedZone(self, "devHostedZone", zone_name="example.com")
# Create validation from DNS with hosted zone
    cert_validation = CertificateValidation.from_dns(hosted_zone)
    subj_alt_names = ['example.com', '*.example.com']
# DNS Validated certificate in zone, for domain and alternate names in specified region (for edge enabled APIs)
    cert_dns_val = DnsValidatedCertificate(
      self,
      'DnsValidation',
      hosted_zone=hosted_zone,
      domain_name='example.com',
      subject_alternative_names=subj_alt_names,
      region='us-east-1', 
      validation=cert_validation)
# Set up the gateway with domain name settings
    api = apigateway.RestApi(
      self, 
      "My-api", 
      rest_api_name="My API", 
      description="A Lambda that contains the REST API for My API.", 
      domain_name=apigateway.DomainNameOptions(certificate=cert_dns_val, domain_name=env+".example.com")
      )
# Finally create A Record to route incoming requests internally to the API Gateway that was just created
    target = aws_route53.RecordTarget.from_alias(alias.ApiGateway(api))
    record = ARecord(self, 'ARecord', target=target, zone=hosted_zone, record_name=env+".example.com")

The problem that I can not seem to get my head around is

1. how I can tell AWS through CDK to set up the required DNS CNAME records in order to validate the Certificate and
2. How I can set it to TLS 1.2 by default (not TLS 1.0)

The issue I see using this:

1. there are 3 certificates generated in the ACM (AWS Certificate Manager) in the console. -> this is wrong, it should only produce a single one
2. CDK does not seem to add the CNAME record automatically, so I tried adding it manually whilst CloudFormation is in progress. However, that did not work either.

Its important to add that all 6 generated CNAME Records are identical, so it will always only require a single CNAME record in the hosted zone config in Route53 (which I set, but did not seem to make a difference)

Answer 1

I managed to figure out a way so that there is only one certificate generated.

Instead of:

# Create validation from DNS with hosted zone
cert_validation = CertificateValidation.from_dns(hosted_zone)
subj_alt_names = ['example.com', '*.example.com']
# DNS Validated certificate in zone, for domain and alternate names in specified region (for edge enabled APIs)
cert_dns_val = DnsValidatedCertificate(
  self,
  'DnsValidation',
  hosted_zone=hosted_zone,
  domain_name='example.com',
  subject_alternative_names=subj_alt_names,
  region='us-east-1', 
  validation=cert_validation)

I wrote

cert_dns_val = DnsValidatedCertificate(
  self,
  'DnsValidation',
  hosted_zone=hosted_zone,
  domain_name='*.example.com',
  region='us-east-1')

I do not know or understand why this works, but will take it anyways.

The second issue is the timeout. I have found some explanation for why this is happening in the following links

• https://github.com/aws/aws-cdk/issues/2914
• https://github.com/aws/aws-cdk/pull/8552
• https://github.com/aws/aws-cdk/issues/3912

It seems like AWS CDK is using Lambda's to run the CloudFormation. Unfortunately Lambdas have a maximum time to live of 9 minutes and 30 seconds. The DNS Record however can take a bit longer than that, and sometimes a fair bit longer (up to 30 minutes). I am not sure how to solve this issue, but I might need to create separate Stacks (with some waiting in-between) as this would instruct separate Lambda workers