CDK: Certificate Handling with Custom Resources

I wrote this post originally for the 56K.Cloud Blog. You can find the original blog here.

In a recent project, we helped our customer to migrate the websites of all their customers to AWS. It was clear from the beginning to use the concept of Infrastructure as Code. Yet, it wasn’t so clear, which tool to use. After some evaluation, we decided to use CDK with Typescript. This played into their existing stack. As they already use Typescript for the websites and other toolings.

The AWS Cloud Development Kit (AWS CDK) is the Infrastructure of Code (IaC) solution from AWS. With this solution, we were able to address almost all the use cases and problems we faced. Yet, there was one problem, that took us some time to overcome. And it was about bridging the gap between AWS and third-party services.

The Problem: Certificate Validation

Our customer develops and hosts the websites for many companies. Thus, they have to ensure that the websites have the correct certificates for all their customers. We decided to use the AWS Certificate Manager (ACM) to handle the certificates. Yet, the problem with that was, that ACM only allows the following two methods for validation:

For automation, the DNS validation method is the best. On top, it also plays together with Amazon Route53. Yet, in our case, we weren’t able to use Route53 for the customer domains. But we had instead to send the DNS entries to the customer so that someone can add them to their DNS system. Luckily, the entries you need to add to the DNS, won’t change if you recreate the certificate.

Scenarios like these, are always the reason why things can take longer, especially when you focus on automation. And it also shows the power of each IaC tool, as edge cases like this, show the strength and weaknesses.

The AWS Certificate Manager Construct Library provides you with the possibility to create certificates using CDK. Yet, cdk deploy fails when the certificate can’t be validated. And you don’t want to set the cdk timeout to 72 hours. The certificate validation times out after 72 hours, after which you need to request a new certificate.

So we had to come up with another solution. Luckily, there are AWS CDK Custom Resources that allowed us to solve this problem.

The Solution: AWS CDK Custom Resources

AWS CDK Custom Resources provides the interfaces, to create, update and delete custom resources. In our case, we used the AwsCustomResource class, which talks to the AWS API. This allows the creation of certificates without failure. You can see the code for this below.

As you can see the above code only has the onCreate and the onDelete method defined, and not the onUpdate method. The reason for this is, that you cannot update existing certificates.

The second problem we faced was how to reference the created resource. I could only find examples online where the key get’s passed into the custom resource. But I couldn’t find an example where the resource needs to be referenced by the ARN. And it took me quite a while to figure out how you can reference the resource in the onDelete call. In the end, I figured out that you can use new PhysicalResourceIdReference(). This returns the ARN and allows the deletion of the correct certificate.

This is a recurring theme, of working in IT. The solution looks so simple. Yet, the journey it took to get there, was not simple at all.

A huge shout-out to the AWS Community Builders group, which helped me to find this solution. The tips from Martin Müller led me in the right direction. Otherwise, I would have spent multiple hours trying to find this solution. If you want to learn more from Martin head over to his blog: https://martinmueller.dev.

More information

For more information about the topic, you can head over to the following links: