in aws.acm.Certificate, why there was no CNAME records for dns validation.

in aws.acm.Certificate, why there was no CNAME records for dns validation.
TypeScript
It seems like you're looking to why C for DNS validation were not automatically created when you set dns as the validation method for the aws.acm.Certificate resource in Pulumi.

Here's the thing: When you create an ACM Certificate with DNS validation in AWS, the service does not automatically create the necessary CNAME records in your DNS configuration. Instead, it provides DNS record information that you can use to create the records manually. You are responsible for adding these records to the DNS configuration for your domain name.

Given that, to automate this process using Pulumi, you need to use not only the aws.acm.Certificate resource but also aws.route53.Record and aws.acm.CertificateValidation resources.

The aws.acm.Certificate will create an ACM with the validation records. The aws.route53.Record will be used to create the necessary DNS records in the Route53 Hosted Zone from the validation records provided by the ACM certificate. And finally, the aws.acm.CertificateValidation is responsible for adding a certificate validation to the ACM certificate using the DNS validation records.

Here's an example of up these in TypeScript:

import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; const exampleCertificate = new aws.acm.Certificate("exampleCertificate", { domain: "example.com", // <-- replace with your domain name validationMethod: "DNS", }); const zoneId = "ABCDEFGHIJK12345678"; // <-- replace with your hosted zone ID const exampleRecord = new aws.route53.Record("exampleRecord", { name: exampleCertificate.domainValidationOptions[0].resourceRecordName, records: [exampleCertificate.domainValidationOptions[0].resourceRecordValue], ttl: 60, type: exampleCertificate.domainValidationOptions[0].resourceRecordType, zoneId: zoneId, }); const exampleCertificateValidation = new aws.acm.CertificateValidation("exampleCertificateValidation", { certificateArn: exampleCertificate.arn, validationRecordFqdns: [exampleRecord.fqdn], }); export const certificateArn = exampleCertificateValidation.certificateArn;

This example creates an ACM certificate and sets up a CNAME record for DNS validation automatically. Keep in mind that you still have to over a domain by responding to the email that Amazon sends.

Refer to:
But the acm domain may be have multiple subjectAlternativeNames in different route53 zones, or the route53 is not in the same account with acm. even the dns nameserver is not route53, could I use pulumi only for the acm creation, not the record validation?
TypeScript
Certainly, if you need to create a certificate with multiple subjectAlternativeNames and not handle DNS validation with Route53 via Pulumi, you can easily do this. However, remember you will have to manually validate the certificate or use some other tooling/mechanism to manage the DNS validation process.

Here is a simple modification to the previous ACM creation.

In this example, we're going to ACM Certificate with multiple subjectAlternativeNames, and set the validationMethod to DNS. Note that it will not create any DNS Records.

This is a simple script that creates such a configuration:

import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; const exampleCertificate = new aws.acm.Certificate("exampleCertificate", { domain: "example.com", // <-- replace with your primary domain validationMethod: "DNS", // add the list of alternate domain names you want to associate with the certificate subjectAlternativeNames: ["www.example.com", "api.example.com", "blog.example.com"], // <-- replace with your SANs }); export const certificateArn = exampleCertificate.arn;

When you run this program, it will create a certificate in ACM with the main domain "example.com", and three additional SANs (Subject Alternative Names), but leaves DNS validation to be handled externally or manually.

Please make sure to replace the domain names with your own values.

Remember that the ACM Certificate would be still in pending state, because manual DNS validation would be needed to validate the certificate. AWS will provide DNS record information that you can use to create the records manually or by other means.

For more information aboutaws.acm.Certificate`, check out the documentation.
but after run the code, there was not CNAME name and CNAME value generated for validation. why?
TypeScript
I understand that you're trying to generate a CNAME record for DNS validation of the ACM (Amazon Certificate Manager) certificate. However, the you've provided is only creating the certificate, but it doesn't handle the DNS validation via Route53 programmatically.

After creating the certificate in AWS ACM with DNS validation, you should create and validate DNS records (such as CNAME records) corresponding to your domain.

Here is a Pulumi program that creates the ACM Certificate and also prepares the DNS validation records using the Route53 service:

import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; const exampleCertificate = new aws.acm.Certificate("exampleCertificate", { domain: "example.com", // <-- replace with your primary domain validationMethod: "DNS", // add the list of alternate domain names you want to associate with the certificate subjectAlternativeNames: ["www.example.com", "api.example.com", "blog.example.com"], // <-- replace with your SANs }); const exampleCertificateValidation = new aws.route53.Record("exampleCertificateValidation", { allowOverwrite: true, name: exampleCertificate.domainValidationOptions[0].resourceRecordName, records: [exampleCertificate.domainValidationOptions[0].resourceRecordValue], ttl: 60, type: exampleCertificate.domainValidationOptions[0].resourceRecordType, zoneId: "Z2DNOTARANDOMZONEID", // <-- replace with your zone ID }); const exampleCertificateValidationCompletion = new aws.acm.CertificateValidation("exampleCertificateValidationCompletion", { certificateArn: exampleCertificate.arn, validationRecordFqdns: [exampleCertificateValidation.fqdn] }); export const certificateArn = exampleCertificateValidationCompletion.certificateArn;

This code will create a Route53 CNAME record that AWS ACM will look for as part of the Certificate validation process. Note that you need to provide zoneId for the hosted zone related to your domain. Replace "Z2DNOTARANDOMZONEID" with your actual Route53 zone ID where you manage the DNS settings for your domain.

For more details see this section of Pulumi Registry documentation: aws.acm.CertificateValidation and aws.route53.Record.
Nope, the pulumi update stoping at the aws:acm:Certificate creating step, and not cname name/value shows.
TypeScript
It appears that your Pulumi update might be getting stuck at the AWS ACM Certificate creation step because it's waiting for the DNS validation (which is not seen because the CNAME record has not been successfully created or verified yet).

To achieve your goal, we need to how this process is being managed. First, we create the ACM Certificate. Then we prepare an AWS Route53 DNS record for validation. And finally, we tell AWS ACM to use this DNS record for the validation process.

This should resolve the problem you're experiencing since every step will now be handled programmatically in the correct order.

Here's the updated program to reflect this:

import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; // Create an AWS resource (ACM Certificate) const exampleCertificate = newm.Certificate("exampleCertificate", { domainName: "example.com", // <-- replace with your domain validationMethod: "DNS", }); // Create a DNS record for validation const exampleCertificateValidation = new aws.route53.Record("exampleCertValidationRecord", { zoneId: "Z2DNOTARANDOMZONEID", // <-- replace with your Zone ID name: exampleCertificate.domainValidationOptions[0].resourceRecordName, type: exampleCertificate.domainValidationOptions[0].resourceRecordType, records: [exampleCertificate.domainValidationOptions[0].resourceRecordValue], ttl: 300, }); // Tell ACM to use the DNS record for validation const exampleCertificateValidationComplete = new aws.acm.CertificateValidation("exampleCertValidation", { certificateArn: exampleCertificate.arn, validationRecordFqdns: [exampleCertificateValidation.fqdn], }); // Export the Certificate ARN export const exampleCertificateArn exampleCertificateValidationComplete.certificateArn;

This program will set up the ACM Certificate, prepare the DNS validation records using Route53, and then perform the validation process ensuring pulumi doesn't hang at the certificate creation stage. Be sure to replace "example.com" with your domain and "Z2DNOTARANDOMZONEID" with your Route53 Zone ID.

For details about the components used, please refer to the Pulumi Registry documentation:
Also, ensure to run pulumi up in your terminal in order to update your stack with the new changes.

in aws.acm.Certificate, why there was no CNAME records for dns validation.

But the acm domain may be have multiple subjectAlternativeNames in different route53 zones, or the route53 is not in the same account with acm. even the dns nameserver is not route53, could I use pulumi only for the acm creation, not the record validation?

but after run the code, there was not CNAME name and CNAME value generated for validation. why?

Nope, the pulumi update stoping at the aws:acm:Certificate creating step, and not cname name/value shows.