search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.1k stars 53 forks source link

AWS::CertificateManager::Certificate (Resource timeout) #130

Open farski opened 4 years ago

farski commented 4 years ago

2. Scope of request

Currently, ACM certificate resources seem to have a ~12 hour timeout. This causes stack operations to fail if the certificate is not validated within that 12 hour window.

3. Expected behavior

When creating ACM certificates through the Console or other methods, the certificates will remain in the Pending validation state indefinitely. This is the ideal behavior, especially with DNS validation, since there are cases where it can take several days for the validation DNS records to be communicated to the correct people and deployed. This is particularly true when the certificates are being created on behalf of a third party.

Based on the CloudFormation documentation:

By default, there is no timeout for stack creation. However, individual resources may have their own timeouts based on the nature of the service they implement.

This would seem like a situation where the resource would not have a timeout, given the nature of the certificate validation process.

6. Category (required) - Will help with tagging and be easier to find by other users to +1

  1. Security (IAM, KMS...)

7. Any additional context (optional)

Here is an example of the event log for a stack that created an ACM certificate that went unvalidated for a number of hours

Screen-Shot-2019-08-17-at-8 16 28-AM

PatMyron commented 4 years ago

See https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/229#issuecomment-566647257 for the discussion around why there will be some timeout for the foreseeable future

sknzl commented 3 years ago

This is an unexpected behaviour, since the ACM documentation indicates a 72h timeout.

adriangabardo commented 2 months ago

This is an unexpected behaviour, since the ACM documentation indicates a 72h timeout.

Currently, ACM certificate resources seem to have a ~12 hour timeout.

That 72h is not the issue, and as @sknzl mentioned, ACM documentation mentions 72h, not 12h. The issue here is CloudFormation auth tokens expire after 12h. It's CloudFormation timing out because of auth that is the issue, not ACM timing out. Any long running operation should run into the same issue, e.g., #229 already mentioned above.

Side-note: I haven't run into this issue or verified the above timeout values, just giving some more info on this issue in general for note keeping sake 😄