CDK: Certificate Handling with Custom Resources
In a recent project, we helped our customer to migrate the websites of all their customers to AWS. It was clear from the beginning to use the concept of Infrastructure as Code. Yet, it wasn’t so clear, which tool to use. After some evaluation, we decided to use CDK with Typescript. This played into their existing stack. As they already use Typescript for the websites and other toolings.
The AWS Cloud Development Kit (AWS CDK) is the Infrastructure of Code (IaC) solution from AWS. With this solution, we were able to address almost all the use cases and problems we faced. Yet, there was one problem, that took us some time to overcome. And it was about bridging the gap between AWS and third-party services.
The Problem: Certificate Validation
Our customer develops and hosts the websites for many companies. Thus, they have to ensure that the websites have the correct certificates for all their customers. We decided to use the AWS Certificate Manager (ACM) to handle the certificates. Yet, the problem with that was, that ACM only allows the following two methods for validation:
For automation, the DNS validation method is the best. On top, it also plays together with Amazon Route53. Yet, in our case, we weren’t able to use Route53 for the customer domains. But we had instead to send the DNS entries to the customer so that someone can add them to their DNS system. Luckily, the entries you need to add to the DNS, won’t change if you recreate the certificate.
Scenarios like these, are always the reason why things can take longer, especially when you focus on automation. And it also shows the power of each IaC tool, as edge cases like this, show the strength and weaknesses.
The AWS Certificate Manager Construct
provides you with the possibility to create certificates using CDK. Yet,
fails when the certificate can’t be validated. And you don’t want to set the cdk
timeout to 72 hours. The certificate validation times out after 72 hours, after
which you need to request a new certificate.
So we had to come up with another solution. Luckily, there are AWS CDK Custom Resources that allowed us to solve this problem.
The Solution: AWS CDK Custom Resources
AWS CDK Custom
provides the interfaces, to create, update and delete custom resources. In our
case, we used the
AwsCustomResource class, which talks to the AWS API. This
allows the creation of certificates without failure. You can see the code for
As you can see the above code only has the
onCreate and the
defined, and not the
onUpdate method. The reason for this is, that you cannot
update existing certificates.
The second problem we faced was how to reference the created resource. I could
only find examples online where the key get’s passed into the custom resource.
But I couldn’t find an example where the resource needs to be referenced by the
ARN. And it took me quite a while to figure out how you can reference the
resource in the
onDelete call. In the end, I figured out that you can use new
PhysicalResourceIdReference(). This returns the ARN and allows the deletion of
the correct certificate.
This is a recurring theme, of working in IT. The solution looks so simple. Yet, the journey it took to get there, was not simple at all.
A huge shout-out to the AWS Community Builders group, which helped me to find this solution. The tips from Martin Müller led me in the right direction. Otherwise, I would have spent multiple hours trying to find this solution. If you want to learn more from Martin head over to his blog: https://martinmueller.dev.
For more information about the topic, you can head over to the following links: