Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws-certificatemanager: DnsValidatedCertificate instances throw on applyRemovalPolicy #20649

Closed
IggyMi opened this issue Jun 7, 2022 · 6 comments · Fixed by #22040 or #22122
Closed
Assignees
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager bug This issue is a bug. documentation This is a problem with documentation. effort/small Small work item – less than a day of effort p2

Comments

@IggyMi
Copy link

IggyMi commented Jun 7, 2022

Describe the bug

Calling applyRemovalPolicy on DnsValidatedCertificate instances throws CfnResource error and fails to synthesize the stack.

Expected Behavior

Chosen retention policy should be applied to DnsValidatedCertificate created resources.

Current Behavior

Currently calling applyRemovalPolicy on DnsValidatedCertificate instance will throw

Error: Cannot apply RemovalPolicy: no child or not a CfnResource. Apply the removal policy on the CfnResource directly.
    at DnsValidatedCertificate.applyRemovalPolicy (/Users/ignotasmikalauskas/Projects/resq-infra/certificates/node_modules/aws-cdk-lib/core/lib/resource.ts:227:13)

Reproduction Steps

The error is thrown while attempting to run the following construct

import { Construct } from 'constructs';
import { DnsValidatedCertificate } from 'aws-cdk-lib/aws-certificatemanager';
import { RemovalPolicy } from 'aws-cdk-lib';
import { IHostedZone } from 'aws-cdk-lib/aws-route53';

export interface CertificateProps {
  hostedZone: IHostedZone;
  domainName: string;
  region: string;
}

export class Certificate extends Construct {
  constructor(scope: Construct, id: string, props: CertificateProps) {
    super(scope, id);

    const { domainName, region, hostedZone } = props;

    const certificate = new DnsValidatedCertificate(this, 'Certificate', {
      domainName: `*.${domainName}`,
      hostedZone,
      region
    });
    certificate.applyRemovalPolicy(RemovalPolicy.RETAIN);

   // ... business logic ...
  }
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.24.1 (build 585f9ca)

Framework Version

No response

Node.js Version

v16.14.0

OS

macOS Monterey 12.2.1

Language

Typescript

Language Version

3.9.7

Other information

No response

@IggyMi IggyMi added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 7, 2022
@github-actions github-actions bot added the @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager label Jun 7, 2022
@peterwoodworth peterwoodworth added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jun 7, 2022
@peterwoodworth
Copy link
Contributor

This happens because the DnsValidatedCertificate doesn't leverage the CfnCertificate resource, but rather utilizes a custom resource. As a result, custom resources can't have removal policy set the same way as when using the CloudFormation resource directly.

We should call this out in the docs, and potentially support setting removal policy through the custom resource if possible

@peterwoodworth peterwoodworth added feature-request A feature should be added or improved. documentation This is a problem with documentation. and removed bug This issue is a bug. labels Jun 7, 2022
@ruebroad
Copy link

@peterwoodworth how is this not a bug? If the method is available and should work but doesn't - isn't that a bug?

@peterwoodworth
Copy link
Contributor

I think there are two problems here @ruebroad, one bug and one feature request

  1. The bug: DnsValidatedCertificate allows you to call applyRemovalPolicy(). This is a consequence of the construct extending CertificateBase which extends Resource
    I think we still ultimately want this construct to extend resource, so you will still be able to call this method. I think that we could override this method on DnsValidatedCertificate to give a more clear error message about how there is no underlying CfnResource for this construct.
  2. The FR: You cannot set the removal policy of DnsValidatedCertificate at all. This is a consequence of not being able to set the removal policy of custom resources the same way as most other Cfn resources, so it's not something that should work (though you're right, the method is available so we do claim to support it). We handle the deletion of the Certificate inside the custom resource here
    case 'Delete':
    physicalResourceId = event.PhysicalResourceId;
    // If the resource didn't create correctly, the physical resource ID won't be the
    // certificate ARN, so don't try to delete it in that case.
    if (physicalResourceId.startsWith('arn:')) {
    await deleteCertificate(
    physicalResourceId,
    event.ResourceProperties.Region,
    event.ResourceProperties.HostedZoneId,
    event.ResourceProperties.Route53Endpoint,
    event.ResourceProperties.CleanupRecords === "true",
    );
    }

    We could do something like create a removalPolicy prop for DnsValidatedCertificate which ends up getting parsed in the custom resource here.

@peterwoodworth peterwoodworth added bug This issue is a bug. and removed feature-request A feature should be added or improved. labels Jul 26, 2022
@vechorko
Copy link

just want to follow up this topic and know when it will be added in the next release

@peterwoodworth
Copy link
Contributor

This isn't something the team will be able to get to soon. The quickest way to see this in a new release is for the community to contribute it 🙂

@corymhall corymhall self-assigned this Sep 14, 2022
@mergify mergify bot closed this as completed in #22040 Sep 15, 2022
mergify bot pushed a commit that referenced this issue Sep 15, 2022
…Certificate (#22040)

This PR adds a method override for `applyRemovalPolicy` which allows the user to specify a removal policy for the `DnsValidatedCertificate` construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the `RemovalPolicy` is set to `retain`.

This is also needed to allow for an easier migration from `DnsValidatedCertificate` -> `Certificate`

fixes #20649


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

mergify bot pushed a commit that referenced this issue Oct 2, 2022
…Certificate (#22122)

This PR adds a method override for applyRemovalPolicy which allows the user to specify a removal policy for the DnsValidatedCertificate construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the RemovalPolicy is set to retain.

This is also needed to allow for an easier migration from DnsValidatedCertificate -> Certificate

reroll of #22040
This has the same changes as #22040 with the addition of some logic to handle only processing updates for certain parameters. If `RemovalPolicy` is changed for example, the update will not be processed.

I also added an integration test with some manual instructions. In order to test ACM certificates I also updated the integ-runner to handle some additional special env variables.

fixes #20649, fixes #14519


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
arewa pushed a commit to arewa/aws-cdk that referenced this issue Oct 8, 2022
…Certificate (aws#22122)

This PR adds a method override for applyRemovalPolicy which allows the user to specify a removal policy for the DnsValidatedCertificate construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the RemovalPolicy is set to retain.

This is also needed to allow for an easier migration from DnsValidatedCertificate -> Certificate

reroll of aws#22040
This has the same changes as aws#22040 with the addition of some logic to handle only processing updates for certain parameters. If `RemovalPolicy` is changed for example, the update will not be processed.

I also added an integration test with some manual instructions. In order to test ACM certificates I also updated the integ-runner to handle some additional special env variables.

fixes aws#20649, fixes aws#14519


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
homakk pushed a commit to homakk/aws-cdk that referenced this issue Dec 1, 2022
…Certificate (aws#22040)

This PR adds a method override for `applyRemovalPolicy` which allows the user to specify a removal policy for the `DnsValidatedCertificate` construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the `RemovalPolicy` is set to `retain`.

This is also needed to allow for an easier migration from `DnsValidatedCertificate` -> `Certificate`

fixes aws#20649


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
homakk pushed a commit to homakk/aws-cdk that referenced this issue Dec 1, 2022
…Certificate (aws#22122)

This PR adds a method override for applyRemovalPolicy which allows the user to specify a removal policy for the DnsValidatedCertificate construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the RemovalPolicy is set to retain.

This is also needed to allow for an easier migration from DnsValidatedCertificate -> Certificate

reroll of aws#22040
This has the same changes as aws#22040 with the addition of some logic to handle only processing updates for certain parameters. If `RemovalPolicy` is changed for example, the update will not be processed.

I also added an integration test with some manual instructions. In order to test ACM certificates I also updated the integ-runner to handle some additional special env variables.

fixes aws#20649, fixes aws#14519


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager bug This issue is a bug. documentation This is a problem with documentation. effort/small Small work item – less than a day of effort p2
Projects
None yet
6 participants