CloudFormation AWS::CertificateManager::Certificate automated certificate validation

Question

According the AWS docs at here and here I should be able to automate a certificate creation and validation using cloudformation. Apparently when you specify a HostedZoneId in the DomainValidationOptions, it is supposed to create the required DNS record to complete the validation (at least that is what it seems from the very vague documentation). My CF template for the cert looks like this:

Resources:
  MyAPICert:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName: xxxx.dev.mydomain.io
      DomainValidationOptions:
        - DomainName: mydomain.io
          HostedZoneId: /hostedzone/Z03XXXXXXXXXXXX
      ValidationMethod: DNS

'mydomain.io' (changed of course) was registered using AWS as registrar as the documents say must be the case for automated validation to work.

This template above is included in a serverless.yml as a resource. However, when I deploy, the stack creation is just stuck waiting for the DNS record - i.e. it does not add the required CNAME entry as I understand it is supposed to do and as such the stack is stuck.

Has anyone gotten this feature to work?

And, yes, I know about the 3rd party custom resources that try to do the same thing, I don't want to use them if CF is supposed to do this natively now.

Answer 1

I hit the same issue. You need to specify the full domain name including the host in the DomainValidationOptions DomainName parameter, and just specify the hosted zone id:

Resources:
  MyAPICert:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName: xxxx.dev.mydomain.io
      DomainValidationOptions:
       - DomainName: xxxx.dev.mydomain.io
         HostedZoneId: Z03XXXXXXXXXXXX
      ValidationMethod: DNS

In my testing, the Route53 validation record was added about a minute after running the stack, and the domain successfully validated itslef after about 15 minutes.

Answer 2

If this is stuck as in progress for a long time, it could be that you are using a Private Hosted Zone when you need to use the Public one. Probably you don't use a private CA. That process should take 2-3 minutes, not more than that.