aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard
verified publisher icon aws

(aws-certificatemanager): Ref intrinsic function should be used to implement attrId in the generated CfnCertificate construct instead of GetAtt

Open moelasmar opened this issue 1 year ago • 2 comments

Describe the bug

In the generated CfnCertificate L1 construct, GetAtt intrinsic function is used to implement the attrId property, althoug as per CFN Docs, there is no support for GetAtt for this resource see here

this.attrId = cdk.Token.asString(this.getAtt("Id", cdk.ResolutionTypeHint.STRING));

Expected Behavior

I can use attrId without getting an error.

Current Behavior

when I use cfnCertificate.attrId in my CDK implementation, and then try to deploy I got the following exception

Deployment XXXXX failed because Couldn't call cloudformation for target XXXXXX because of a validation error. The error was Template error: resource DNSCertificate does not support attribute type Id in Fn::GetAtt (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError;

Reproduction Steps

const vpc = new Vpc(this, 'VPC', {
	cidr: '10.0.0.0/16',
	enableDnsHostnames: true,
	enableDnsSupport: true,
	maxAzs: props.maxAZs,
	defaultInstanceTenancy: DefaultInstanceTenancy.DEFAULT,
	subnetConfiguration: [
		{
			name: 'public-subnet-1',
			subnetType: SubnetType.PUBLIC,
			cidrMask: 20
		}
	]
 });

const securityGroup = new SecurityGroup(this, 'SecurityGroup', {
	vpc: vpc
 });

this.loadBalancer = new ApplicationLoadBalancer(this, 'LB', {
	vpc: vpc,
	securityGroup: securityGroup,
	internetFacing: true
});

const cfnCertificate = new CfnCertificate(this, 'DNSCertificate', {
	domainName: domainName,
	validationMethod: 'DNS',
	domainValidationOptions: [
		{
			domainName: domainName,
			hostedZoneId: hostedZone.hostedZoneId
		}
	]
 });
certificate = ListenerCertificate.fromArn(cfnCertificate.attrId);

const listener = this.loadBalancer.addListener('HttpsListener', {
	protocol: ApplicationProtocol.HTTPS,
	port: 443,
	certificates: [certificate],
	sslPolicy: SslPolicy.RECOMMENDED
});

Possible Solution

attrId property should be implemented using the Ref function.

Workaround:

The workaround is to use cfnCertificate.Ref instead of cfnCertificate.attrId

Additional Information/Context

No response

CDK CLI Version

2.147.0

Framework Version

No response

Node.js Version

22

OS

all

Language

TypeScript, Python, .NET, Java, Go

Language Version

No response

Other information

No response

moelasmar avatar Jun 24 '24 19:06 moelasmar

Hey @moelasmar , thanks for reporting this.

I found this issue is quite similar to the one you have reported and @pahud also has filed an internal ticket with Cloudformation team - https://github.com/aws/aws-cdk/issues/30512#issuecomment-2166432024. However if you think, this issue is not addressed or different than the one in the mentioned internal ticket, please feel free to reach out.

khushail avatar Jun 25 '24 20:06 khushail

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

github-actions[bot] avatar Jun 28 '24 00:06 github-actions[bot]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

aws-cdk-automation avatar Jul 25 '24 17:07 aws-cdk-automation