Validating a AWS ACM Certificate using aws.acm.CertificateValidation in Pulumi using python

Question

In Pulumi I create a ACM Certificate with a domain-name and a number of SAN. This is set to get verified using DNS.

The Route53 records get created using the following function. This works as expected in that the records get created and the certificate status changes to valid in AWS.

    # Create and add CNAME for DNS validate for ACM Cert
    def add_acm_validation_records(self, cert: aws.acm.Certificate) -> list:
        valid_fqdns = cert.domain_validation_options.apply(
            lambda o: self.iterate_records(o)
        )
        return valid_fqdns
    
    def iterate_records(self, validation_options):
        fqdns = []
        for record_to_add in validation_options:
            record = aws.route53.Record(
                f"r53-acm-verify-{record_to_add.domain_name}",
                allow_overwrite=True,
                name=record_to_add.resource_record_name,
                ttl=60,
                type=record_to_add.resource_record_type,
                records=[record_to_add.resource_record_value],
                zone_id=self.__customer_zone.zone_id,
            )
            fqdns.append(record.fqdn)
        return fqdns

I am not able to verify the list of fqdns in the list. At the moment I cant figure out how to pint them out.

The list of fqdns get passed to the following function:

    def validate(self, fqdns: list) -> aws.acm.Certificate:
        cert_validation = aws.acm.CertificateValidation(
            f"{self.__customer_code}-cert-validation",
            certificate_arn=self.__customer_cert.arn,
            validation_record_fqdns=[pulumi.Output.all(fqdns).apply(lambda l: f"{l}")],
            opts=pulumi.ResourceOptions(provider=self.__aws_provider_west_2),
        )

This gives me the error following error:

  aws:acm:CertificateValidation (abcd-cert-validation):
    error: 1 error occurred:
        * 3 errors occurred:
        * missing *.api.abcd.sanda.XXXXXXXX.co.uk DNS validation record: _AAAAAAAA.api.abcd.sanda.XXXXXXXX.co.uk
        * missing *.web.abcd.sanda.XXXXXXXX.co.uk DNS validation record: _BBBBBBBB.web.abcd.sanda.XXXXXXXX.co.uk
        * missing *.abcd.sanda.XXXXXXXX.co.uk DNS validation record: _CCCCCCCC.abcd.sanda.XXXXXXXX.co.uk

I have verified that the 3 records mentioned above are in AWS Route53 so I am not sure why Pulumi thinks they are missing ...

At this point the Certificate in AWS has change its status from Pending to Issued so i believe the configuration code is okay but not the verification part.

If anyone can spot my mistake or a way to troubleshoot this please let me know.

Answer 1

This was the solution i come up with. Posting as it may save someone else allot of time trying to figure this out. It feels like a very heavy handed or convoluted way of doing things compare to say terraform but i am fairly new to Pulumi so my guess would be there is a far better way of doing it and I am over engineering the solution.

    # Note: This was a list of x elements and has been converted to a list of 1 element
    def iterate_fqdns(self, fqdns):
        cert_validation = aws.acm.CertificateValidation(
            f"{self.__customer_code}-cert-validation",
            certificate_arn=self.__customer_cert.arn,
            validation_record_fqdns=fqdns[0],
            opts=pulumi.ResourceOptions(provider=self.__aws_provider_west_2),
        )

    # Set the validation parameters for the cert
    def validate(self, fqdns: list) -> aws.acm.Certificate:
        pulumi.Output.all(fqdns).apply(lambda o: self.iterate_fqdns(o))