Closed rrrix closed 2 years ago
@rrrix The same mistake happened to me some time ago.
Does the zone for your apex domain example.com
have an NS record for your subdomain foo.example.com
(see docs)?
In my case, I forgot to add the NS record to the apex domain. After I added the NS record, all went well. I don't know if that was causing the problem, but it kinda makes sense.
Error handling could be improved though ;)
Forget what I said. I just experienced the same error again while moving my stacks to another region. The first deploy failed, the second succeeded.
me@Me-MBP cdk % yarn cdk deploy DnsStackProd
yarn run v1.22.4
$ cdk deploy DnsStackProd
🚀 Using profile 123456789012_AWSAdministratorAccess for account 123456789012 in mode ForReading
This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:
IAM Statement Changes
┌───┬─────────────────────────────────┬────────┬─────────────────────────────────┬──────────────────────────────────┬───────────┐
│ │ Resource │ Effect │ Action │ Principal │ Condition │
├───┼─────────────────────────────────┼────────┼─────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${Certificate/CertificateReques │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │
│ │ torFunction/ServiceRole.Arn} │ │ │ │ │
├───┼─────────────────────────────────┼────────┼─────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ * │ Allow │ acm:DeleteCertificate │ AWS:${Certificate/CertificateReq │ │
│ │ │ │ acm:DescribeCertificate │ uestorFunction/ServiceRole} │ │
│ │ │ │ acm:RequestCertificate │ │ │
│ + │ * │ Allow │ route53:GetChange │ AWS:${Certificate/CertificateReq │ │
│ │ │ │ │ uestorFunction/ServiceRole} │ │
├───┼─────────────────────────────────┼────────┼─────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ arn:${AWS::Partition}:route53:: │ Allow │ route53:changeResourceRecordSet │ AWS:${Certificate/CertificateReq │ │
│ │ :hostedzone/ZXXX │ │ s │ uestorFunction/ServiceRole} │ │
│ │ H │ │ │ │ │
└───┴─────────────────────────────────┴────────┴─────────────────────────────────┴──────────────────────────────────┴───────────┘
IAM Policy Changes
┌───┬─────────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│ │ Resource │ Managed Policy ARN │
├───┼─────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ + │ ${Certificate/CertificateRequestorFunction/ServiceRole} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambd │
│ │ │ aBasicExecutionRole │
└───┴─────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)
Do you wish to deploy these changes (y/n)? y
DnsStackProd: deploying...
🚀 Using profile 123456789012_AWSAdministratorAccess for account 123456789012 in mode ForWriting
[0%] start: Publishing 19e461d2ff1a5b90438fed6ceee4c197d7efee8712a6f76d85b501ab20bfb1a2:current
[100%] success: Published 19e461d2ff1a5b90438fed6ceee4c197d7efee8712a6f76d85b501ab20bfb1a2:current
DnsStackProd: creating CloudFormation changeset...
0/6 | 00:27:51 | CREATE_IN_PROGRESS | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA)
0/6 | 00:27:51 | CREATE_IN_PROGRESS | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA) Resource creation Initiated
0/6 | 00:27:56 | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata
0/6 | 00:27:57 | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata Resource creation Initiated
1/6 | 00:27:57 | CREATE_COMPLETE | AWS::CDK::Metadata | CDKMetadata
2/6 | 00:28:05 | CREATE_COMPLETE | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA)
2/6 | 00:28:07 | CREATE_IN_PROGRESS | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC)
2/6 | 00:28:08 | CREATE_IN_PROGRESS | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC) Resource creation Initiated
3/6 | 00:28:22 | CREATE_COMPLETE | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC)
3/6 | 00:28:24 | CREATE_IN_PROGRESS | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413)
3/6 | 00:28:24 | CREATE_IN_PROGRESS | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413) Resource creation Initiated
4/6 | 00:28:25 | CREATE_COMPLETE | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413)
4/6 | 00:28:26 | CREATE_IN_PROGRESS | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7)
4/6 | 00:28:34 | CREATE_IN_PROGRESS | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) Resource creation Initiated
5/6 | 00:28:35 | CREATE_FAILED | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) Failed to create resource. Cannot read property 'Name' of undefined
new CustomResource (/Users/me/Documents/Detelling/cdk/node_modules/@aws-cdk/core/lib/custom-resource.ts:115:21)
\_ new DnsValidatedCertificate (/Users/me/Documents/Detelling/cdk/node_modules/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts:96:25)
\_ new DnsStack (/Users/me/Documents/Detelling/cdk/lib/stacks/dns.ts:28:25)
\_ Object.<anonymous> (/Users/me/Documents/Detelling/cdk/bin/cdk.ts:20:22)
\_ Module._compile (internal/modules/cjs/loader.js:1158:30)
\_ Module.m._compile (/Users/me/Documents/Detelling/cdk/node_modules/ts-node/src/index.ts:858:23)
\_ Module._extensions..js (internal/modules/cjs/loader.js:1178:10)
\_ Object.require.extensions.<computed> [as .ts] (/Users/me/Documents/Detelling/cdk/node_modules/ts-node/src/index.ts:861:12)
\_ Module.load (internal/modules/cjs/loader.js:1002:32)
\_ Function.Module._load (internal/modules/cjs/loader.js:901:14)
\_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
\_ main (/Users/me/Documents/Detelling/cdk/node_modules/ts-node/src/bin.ts:227:14)
\_ Object.<anonymous> (/Users/me/Documents/Detelling/cdk/node_modules/ts-node/src/bin.ts:513:3)
\_ Module._compile (internal/modules/cjs/loader.js:1158:30)
\_ Object.Module._extensions..js (internal/modules/cjs/loader.js:1178:10)
\_ Module.load (internal/modules/cjs/loader.js:1002:32)
\_ Function.Module._load (internal/modules/cjs/loader.js:901:14)
\_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
\_ /Users/me/.nvm/versions/node/v12.16.1/lib/node_modules/npm/node_modules/libnpx/index.js:268:14
5/6 | 00:28:35 | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack | DnsStackProd The following resource(s) failed to create: [CertificateCertificateRequestorResource2890C6B7]. . Rollback requested by user.
5/6 | 00:29:04 | DELETE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata
5/6 | 00:29:04 | DELETE_IN_PROGRESS | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7)
6/6 | 00:29:04 | DELETE_COMPLETE | AWS::CDK::Metadata | CDKMetadata
7/6 | 00:29:06 | DELETE_COMPLETE | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7)
7/6 | 00:29:06 | DELETE_IN_PROGRESS | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413)
8/6 | 00:29:07 | DELETE_COMPLETE | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413)
8/6 | 00:29:07 | DELETE_IN_PROGRESS | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC)
9/6 | 00:29:08 | DELETE_COMPLETE | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC)
9/6 | 00:29:08 | DELETE_IN_PROGRESS | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA)
10/6 | 00:29:09 | DELETE_COMPLETE | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA)
❌ DnsStackProd failed: Error: The stack named DnsStackProd failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
at /Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/lib/api/util/cloudformation.ts:254:13
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at waitFor (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/lib/api/util/cloudformation.ts:166:20)
at Object.deployStack (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/lib/api/deploy-stack.ts:252:26)
at CdkToolkit.deploy (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:181:24)
at main (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/bin/cdk.ts:250:16)
at initCommandLine (/Users/me/Documents/Detelling/cdk/node_modules/aws-cdk/bin/cdk.ts:183:9)
The stack named DnsStackProd failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
me@Me-MBP cdk % yarn cdk deploy DnsStackProd
yarn run v1.22.4
$ cdk deploy DnsStackProd
🚀 Using profile 123456789012_AWSAdministratorAccess for account 123456789012 in mode ForReading
DnsStackProd: deploying...
🚀 Using profile 123456789012_AWSAdministratorAccess for account 123456789012 in mode ForWriting
[0%] start: Publishing 19e461d2ff1a5b90438fed6ceee4c197d7efee8712a6f76d85b501ab20bfb1a2:current
[100%] success: Published 19e461d2ff1a5b90438fed6ceee4c197d7efee8712a6f76d85b501ab20bfb1a2:current
DnsStackProd: creating CloudFormation changeset...
0/6 | 00:34:03 | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata
0/6 | 00:34:03 | CREATE_IN_PROGRESS | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA)
0/6 | 00:34:03 | CREATE_IN_PROGRESS | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA) Resource creation Initiated
0/6 | 00:34:04 | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata Resource creation Initiated
1/6 | 00:34:04 | CREATE_COMPLETE | AWS::CDK::Metadata | CDKMetadata
2/6 | 00:34:18 | CREATE_COMPLETE | AWS::IAM::Role | Certificate/CertificateRequestorFunction/ServiceRole (CertificateCertificateRequestorFunctionServiceRoleC04C13DA)
2/6 | 00:34:19 | CREATE_IN_PROGRESS | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC)
2/6 | 00:34:20 | CREATE_IN_PROGRESS | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC) Resource creation Initiated
3/6 | 00:34:34 | CREATE_COMPLETE | AWS::IAM::Policy | Certificate/CertificateRequestorFunction/ServiceRole/DefaultPolicy (CertificateCertificateRequestorFunctionServiceRoleDefaultPolicy3C8845BC)
3/6 | 00:34:35 | CREATE_IN_PROGRESS | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413)
3/6 | 00:34:36 | CREATE_IN_PROGRESS | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413) Resource creation Initiated
4/6 | 00:34:36 | CREATE_COMPLETE | AWS::Lambda::Function | Certificate/CertificateRequestorFunction (CertificateCertificateRequestorFunction5E845413)
4/6 | 00:34:38 | CREATE_IN_PROGRESS | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7)
4/6 Currently in progress: CertificateCertificateRequestorResource2890C6B7
4/6 | 00:39:25 | CREATE_IN_PROGRESS | AWS::CloudFormation::CustomResource | Certificate/CertificateRequestorResource/Default (CertificateCertificateRequestorResource2890C6B7) Resource creation Initiated
✅ DnsStackProd
Since my app is importing the hosted zone, NS records were definitely present.
I removed (commented out) the subjectAlternativeNames
, redeployed, and everything deployed without errors on the first try. This obviously isn't a 'fix', since I need those SAN's, but just an interesting observation. I'll try and keep debugging.
const hostedZone = route53.HostedZone.fromLookup(scope, 'HostedZone', {
domainName: 'foo.example.com',
});
const sslCertificate = new acm.DnsValidatedCertificate(this, 'sslCert', {
domainName: 'foo.example.com',
// subjectAlternativeNames: [`*.foo.example.com`, `*.ecs.foo.example.com`],
hostedZone,
});
I'm getting this too but intermittently. Have just ran the same stack two times, first time it failed, then reran it and it worked. Happened a couple of times yesterday too. Was doing the same thing in Python with CDK 1.31 before and never had this problem with multiple deployments, now had it 3/6 times. Now on 1.44 JS I'm getting this issue.
My current stack (with right values passed in) is essentially:
const hostedZone = route53.HostedZone.fromHostedZoneAttributes(
this,
'MainHostLookup',
{
zoneName: hostedDomainUrl,
hostedZoneId: hostedZoneId,
},
)
new certificatemanager.DnsValidatedCertificate(
this,
'EnvironmentCertificate',
{
hostedZone: hostedZone,
domainName: hostedDomainUrl,
region: 'us-east-1',
subjectAlternativeNames: [`*.${hostedDomainUrl}`],
validationMethod: certificatemanager.ValidationMethod.DNS,
},
)
The Python one previously that always worked (I've rewritten in JS for various reasons):
hosted_zone = route53.HostedZone.from_hosted_zone_attributes(
self,
"MainHostLookup",
zone_name=hosted_domain_url,
hosted_zone_id=hosted_zone_id,
)
self.certificate = certificatemanager.DnsValidatedCertificate(
self,
"EnvironmentCertificate",
hosted_zone=hosted_zone,
domain_name=hosted_domain_url,
region="us-east-1",
subject_alternative_names=[f"*.{hosted_domain_url}"],
validation_method=certificatemanager.ValidationMethod.DNS,
Could be Python vs JS or more likely v 1.31 to 1.44 I'm guessing or it could even be CloudFormation/AWS changes since April when I was last running this.
Note it created the certificates successfully in AWS whether this stack passes or not but the CloudFormation fails when it throws this error. For now my workaround will be to delete the certificate and try again till it works. Also I noticed that it took 7 minutes for the certificate to successfully create on CDK/CloudFormation failure but only a couple of minutes after when it worked successfully.
Hope that makes sense, ping me if any questions by all means.
I did a bit more research on this, and it turns out there's actually two Open PR's that aim to fix this:
fix(acm-certificatemanager): DnsValidatedCertificate doesn't wait long enough
: #6516fix(DnsValidatedCertificate): add support for subjectAlternativeNames
: #7150Unfortunately both are getting a bit stale, as both PR's have pending, unfinished changes requested by the CDK Team. I think #6516 looks like the better PR, as it solves the root cause of the problem, rather than creating an arbitrary wait mechanism as #7150 does.
Same as @strottos The first time it failed and the second run it pass..
CDK version: 1.45.0 (build 0cfab15)
// Get hosted zone
const hostedZone = route53.HostedZone.fromLookup(this, `hosted-zone-${props.envName}`, { domainName })
// Certificate
const certificate = new certificatemanager.DnsValidatedCertificate(this, `certificate-${domainName}`, {
domainName: domainName,
hostedZone: hostedZone,
region: props.region,
subjectAlternativeNames: [`*.${domainName}`],
})
Just curious, for people effected, does it eventually work or does it consistently fail?
For me, it fails consistently if I have 2 or more subjectAlternativeNames. One or none, always works
Either way, supporting native Cloud Formation DNS sounds like the best solution so hopefully it is available soon
Here's my custom construct I'm using to use the native CloudFormation AWS::CertificateManager::Certificate
with DNS Validation:
// CfnDnsValidatedCertificate.ts
import { Certificate, CertificateProps, ICertificate, ValidationMethod } from '@aws-cdk/aws-certificatemanager';
import { IHostedZone, IPublicHostedZone } from '@aws-cdk/aws-route53';
import { CfnResource, Construct, Resource } from '@aws-cdk/core';
interface CfnDnsValidatedCertificateProps extends CertificateProps {
hostedZone: IPublicHostedZone;
}
export class CfnDnsValidatedCertificate extends Resource implements ICertificate {
public readonly domainName: string;
public readonly subjectAlternativeNames: string[];
public readonly hostedZone: IHostedZone;
public readonly resource: CfnResource;
public readonly certificate: ICertificate;
public readonly certificateArn: string;
public readonly validationMethod: ValidationMethod = ValidationMethod.DNS;
constructor(scope: Construct, id: string, props: CfnDnsValidatedCertificateProps) {
super(scope, id);
this.domainName = props.domainName;
this.subjectAlternativeNames = props.subjectAlternativeNames;
this.hostedZone = props.hostedZone;
this.resource = new CfnResource(this, 'cfnCertificate', {
type: 'AWS::CertificateManager::Certificate',
properties: {
DomainName: this.domainName,
SubjectAlternativeNames: this.subjectAlternativeNames,
ValidationMethod: ValidationMethod.DNS,
DomainValidationOptions: [
{
DomainName: this.domainName,
HostedZoneId: this.hostedZone.hostedZoneId,
},
],
},
});
this.certificateArn = this.resource.ref;
this.certificate = Certificate.fromCertificateArn(this, 'Resource', this.certificateArn);
}
}
Use it kinda like this:
const hostedZone = PublicHostedZone.fromLookup(this, 'hostedZone', {
domainName: props.envDomainName,
});
this.certificate = new CfnDnsValidatedCertificate(this, 'certificate', {
domainName: domainName,
hostedZone: hostedZone,
});
It's faster, works 100% of the time (with any number of SAN's), cheaper (no Lambda) and has the same great taste of automated DNS Validated ACM Certificates!
This issue should be reopened. I got the same error using DnsValidatedCertificate
with v1.61.0 today. I was able to get it working by switching to using Certificate
with CertificateValidation.fromDns
.
Same problem with 1.61.1. Please reopen
Similar problem with 1.63.0. Thank @mikestopcontinues for workaround solution.
From doc (https://docs.aws.amazon.com/cdk/api/latest/docs/aws-certificatemanager-readme.html) I noticed DnsValidatedCertificate is used only cross-account validation and all other examples are done Certificate and CertificationValidation.fromDns().
I'm getting erratic behavior when using DNSValidatedCertificate
. I tried to deploy once and got:
DNS Validated Certificate Error: Failed to create resource. Cannot read property 'Name' of undefined
.
I retried it, and it worked. I'm creating two ACM certificates and two Cloudfront distributions. One with 3 FQDNs and the other one with just 1.
Either way, supporting native Cloud Formation DNS sounds like the best solution so hopefully it is available soon
This is supported since a while now.
However, DNSValidatedCertificate
is still required to define certificates, for example, for a CloudFront distribution since Certificate
which uses the native CloudFormation support does not provide a way to specify a region.
Furthermore, DNSValidatedCertificate
does not support using different super/base domains (multizone validation), which is required to support a single distribution under different domain names (A.com, B.com), for example.
I'm having this same issue with "aws-cdk": "1.105.0",
Just ran into this as well.
1.119.0 (build 2921d64)
Reopening because customers have still been experiencing this issue
Pinging @jogold and @njlynch for awareness
@njlynch you might want to take a look at this one - it somehow got assigned to me by mistake (?).
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
When deploying a new DNS Validated Certificate, I keep getting an error:
Reproduction Steps
Error Log
Error log from
cdk deploy
:Error log from Custom Resource Lambda Function:
Environment
Other
I can only find two places where there's a reference to a
.Name
property in the DNS Validated Certificate Lambda function:https://github.com/aws/aws-cdk/blob/cb71f340343011a2a2de9758879a56e898b8e12c/packages/%40aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js#L116
https://github.com/aws/aws-cdk/blob/cb71f340343011a2a2de9758879a56e898b8e12c/packages/%40aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js#L137
I believe it's the first, (dns_validated_certificate_handler/lib/index.js#L116) since the last message to appear before the error is thrown is
Waiting for ACM to provide DNS records for validation...
.Here's the code in question:
A note regarding the Certificate naming and Route53 hosted zone:
The hosted zone is a subdomain (e.g.
foo.example.com
- changed for anonymity), and I'm adding a few extra wildcards:foo.example.com
('DomainName')*.foo.example.com
(SAN)*.ecs.foo.example.com
(SAN)Here's the generated CloudFormation Resource:
Here's the Certificate Object being queried over in the referenced code:
This is :bug: Bug Report