Skip to main content
dxaws

Amazon Certificate Manager (ACM) Module

·328 words·2 mins
Aws Module Acm Ssl
Table of Contents

Overview
#

A small module/service (Python) that can:

  1. Request or reuse an ACM certificate for:
  • a primary domain (e.g. archivium.ca)
  • optional SANs (e.g. www.archivium.ca, dev.archivium.ca, *.dev. archivium.ca)
  1. Automatically create/UPSERT the Route53 validation records in the correct hosted zone(s)
  2. Wait until issued (or return quickly if you prefer async later)
  3. Return the certificate ARN (and optionally status/metadata)

Deisgn Considerations
#

Region Matters
#

  • CloudFront: We will want these certificates to be provisioned in us-east-1 (this is a CLoudFront requirement)
  • Other services require that sertc are generated in the same region as the serive

Requirement: Certificate provisioning should default to local region but the region can be overriden for services like CloudFront.

Hosted Zone Matching
#

We need to be careful about what hosted zone we are provisioning for, especially if we are dealing with a four part domain name. For example, www.dev.dxaws.com might be part of dev.dxaws.com or dxaws.com.

Requirement: We should implement: “pick the most specific public hosted zone whose name is a suffix of the record name”

DNS Validation Records
#

DNS validation records can take a bit of time to set up and confirmed.

Right after request_certificate, describe_certificate() often returns DomainValidationOptions but sometimes the ResourceRecord isn’t immediately present. So we need a small poll loop until we can extract the CNAME(s).

Requirement: We should implement a small polling loop to wait for DNS validation records to be created.

Idempotency
#

Pretty straight forward logic here. The certificate exixst and is ISSUED (or PENDING VALIDATION), reuse it. Otherwise, create a new one

Also: RequestCertificate supports an IdempotencyToken (32 chars max). Use it.

Multi-account
#

There is a good chance that the DNS hosted zone will be in a different account for where the certificate is being requested. In this case we will need a role in the DNS account with:

  • route53:ChangeResourceRecordSets
  • and maybe ListHostedZonesByName / ListResourceRecordSets

Certificate Issuance
#

This can take a few minutes so we will have to provide a way to monitor the status.