Delete the CNAME DNS record used for certificate validation in hosted zone

[cloudkj]

Attempting to delete a newly created SCAR stack in CloudFormation currently fails due to the CNAME DNS record that is created manually as part of the validation step. A custom resource could be added to the template to remove this record from the hosted zone so that the record is deleted after validation is successful.

[yanlinaung30]

How should I resolve it?

[cloudkj]

Hi @yanlinaung30 - the manual workaround for this issue is to manually delete the CNAME record first before deleting the CloudFormation stack.

You can do this by using the AWS Route 53 console to open the hosted zone that was created as part of your stack, selecting the CNAME record set, then "Delete Record Set". After that, you should be able to fully delete the CloudFormation stack as it will then be able to delete the hosted zone.

Let me know if that works.

[yanlinaung30]

@cloudkj Thanks for your reply! I delete CNAME manually as soon as the certificate is issued successfully.

But I encountered another issue. I upload json template file to my s3 bucket of my region & Create the CloudFormation stack in my region

CloudFrontRootDistribution

The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 67acde6a-8687-11e9-b0a2-4f83c31ceffd)

CloudFrontWWWDistribution

The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 67944d42-8687-11e9-aadb-fd94b97f8503)

[cloudkj]

Hi @yanlinaung30 - it looks like ACM has a restriction that requires certificates to be created in the us-east-1 region in order to be used with CloudFront: https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html

To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.

Unfortunately, for now you'll have to create the stack in us-east-1. Note that there should be no degradation in performance for visitors since the CloudFront distribution will be global. However, I can see that there can be a performance/cost issue in dealing with uploading or syncing assets if us-east-1 is not your home region.

I'll open a separate issue to track this problem. At the very least, the docs should be updated to reflect this limitation. It's possible that CloudFormation Stack Sets can offer a path forward by requesting only the ACM certificate in us-east-1 but other resources in the chosen region, but some work is needed to see if that's possible.

[yanlinaung30]

@cloudkj Oh, this must be the reason! Thanks a lot for your reply and explanation. I will create the CloudFormation in North Virginia for now. Thank you!