certificatemanager: deletion of stack with Cognito custom domain fails on CertificateRequestorResource #28063
Labels
@aws-cdk/aws-certificatemanager
Related to Amazon Certificate Manager
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
p3
Describe the bug
Deleting the stack with a custom domain for a Cognito user pool fails on trying to delete
CertificateRequestorResource
.Expected Behavior
Deletion succeeds.
Current Behavior
Deletion fails with message:
Reproduction Steps
Deploy the stack which has a Cognito user pool with a custom domain.
Setting such a stack requires defining a certificate for the custom domain. I do it using
DnsValidatedCertificate
, my code (in Clojure with custom helper functions):Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.100.0 (build e1b5c77)
Framework Version
2.100.0
Node.js Version
18.17.1
OS
macOS
Language
Java
Language Version
Java (17)
Other information
Cause
The cause seems to be that the certificate is still used by the "phantom" CloudFront distribution which belongs to the unknown account 455458493081 and I can't find it anywhere in the GUI.
It can be seen in the ACM GUI or via
aws acm describe-certificate --certificate-arn ... --region us-east-1
and then looking atInUseBy
key.After a few minutes this dependency is automatically cleaned and the repeated attempt to delete the stack will succeed after that.
I suspect this is the distribution containing the Cognito's hosted UI website.
I found a single mention of the similar Cognito problem in https://stackoverflow.com/questions/75134728/phantom-cloudfront-distribution-blocks-me-from-creating-cognito-custom-domain. And the answer there states:
But there are several reports of a similar issue with certificates for API Gateway, e.g.:
Workaround attempt
I tried to retain the certificate on deletion via
(.applyRemovalPolicy cert RemovalPolicy/RETAIN_ON_UPDATE_OR_DELETE)
. This allows the stack deletion to succeed. But when I deployed the same stack again immediately it failed with:Strangely, deploying one more time succeeded. But in any case, it doesn't seem to be a reliable workaround and with time will pollute ACM with unused certificates.
Solution ideas
InUseBy
array.aws-certificatemanager/dns-validated-certificate-handler
deleteCertificate
function:aws-cdk/packages/@aws-cdk/custom-resource-handlers/lib/aws-certificatemanager/dns-validated-certificate-handler/index.js
Line 160 in c66e197
The text was updated successfully, but these errors were encountered: