How to fully automate the provisioning of ACM certificates in CloudFormation

AWS Certificate Manager is a great service that eases the creation and renewal of certificates. After you request a certificate, it allows you two ways to prove that you own the domain. Either by clicking on an email sent to the administrative contact of the domain or by updating a record in DNS.

As we aim to automate the entire process, email validation method is not an option. It requires a human to click on a link. Validating through DNS is the way to go.

Since, June 2020 CloudFormation AWS::CertificateManager::Certificate allows you to specify the Route53 hosted zone, in which to insert the validation records.

How do I automate the provisioning of ACM certificates?

You can automate the provisioning of ACM certificates with DNS with a single resource. Below you see the required AWS::CertificateManager::Certificate resource:

 Certificate:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName: !Ref DomainName
      ValidationMethod: DNS
      DomainValidationOptions:
        - DomainName: !Ref DomainName
          HostedZoneId: !Ref HostedZoneId

This will create the required DNS validation records for the domain in the specified route53 hosted zone.

Conclusion

With the newly provided support, you can automate the provisioning of AWS certificates through DNS. The trusty old custom provider cfn-certificate-provider which have been providing this functionality since October 2018, can now retire.


Got to here? You probably also like deploying secrets and deploying private key pairs with CloudFormation.

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Share this article: Tweet this post / Post on LinkedIn