search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.55k stars 3.87k forks source link

(aws-certificatemanager): Ref intrinsic function should be used to implement attrId in the generated CfnCertificate construct instead of GetAtt #30650

Closed moelasmar closed 2 months ago

moelasmar commented 3 months ago

Describe the bug

In the generated CfnCertificate L1 construct, GetAtt intrinsic function is used to implement the attrId property, althoug as per CFN Docs, there is no support for GetAtt for this resource see here

this.attrId = cdk.Token.asString(this.getAtt("Id", cdk.ResolutionTypeHint.STRING));

Expected Behavior

I can use attrId without getting an error.

Current Behavior

when I use cfnCertificate.attrId in my CDK implementation, and then try to deploy I got the following exception

Deployment XXXXX failed because Couldn't call cloudformation for target XXXXXX because of a validation error. The error was Template error: resource DNSCertificate does not support attribute type Id in Fn::GetAtt (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError;

Reproduction Steps

const vpc = new Vpc(this, 'VPC', {
    cidr: '10.0.0.0/16',
    enableDnsHostnames: true,
    enableDnsSupport: true,
    maxAzs: props.maxAZs,
    defaultInstanceTenancy: DefaultInstanceTenancy.DEFAULT,
    subnetConfiguration: [
        {
            name: 'public-subnet-1',
            subnetType: SubnetType.PUBLIC,
            cidrMask: 20
        }
    ]
 });

const securityGroup = new SecurityGroup(this, 'SecurityGroup', {
    vpc: vpc
 });

this.loadBalancer = new ApplicationLoadBalancer(this, 'LB', {
    vpc: vpc,
    securityGroup: securityGroup,
    internetFacing: true
});

const cfnCertificate = new CfnCertificate(this, 'DNSCertificate', {
    domainName: domainName,
    validationMethod: 'DNS',
    domainValidationOptions: [
        {
            domainName: domainName,
            hostedZoneId: hostedZone.hostedZoneId
        }
    ]
 });
certificate = ListenerCertificate.fromArn(cfnCertificate.attrId);

const listener = this.loadBalancer.addListener('HttpsListener', {
    protocol: ApplicationProtocol.HTTPS,
    port: 443,
    certificates: [certificate],
    sslPolicy: SslPolicy.RECOMMENDED
});

Possible Solution

attrId property should be implemented using the Ref function.

Workaround:

The workaround is to use cfnCertificate.Ref instead of cfnCertificate.attrId

Additional Information/Context

No response

CDK CLI Version

2.147.0

Framework Version

No response

Node.js Version

22

OS

all

Language

TypeScript, Python, .NET, Java, Go

Language Version

No response

Other information

No response

khushail commented 3 months ago

Hey @moelasmar , thanks for reporting this.

I found this issue is quite similar to the one you have reported and @pahud also has filed an internal ticket with Cloudformation team - https://github.com/aws/aws-cdk/issues/30512#issuecomment-2166432024. However if you think, this issue is not addressed or different than the one in the mentioned internal ticket, please feel free to reach out.

github-actions[bot] commented 3 months ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

aws-cdk-automation commented 2 months ago

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.