-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-cloudfront: cdk incorrectly prevents attaching certificate when no aliases are given #29960
aws-cloudfront: cdk incorrectly prevents attaching certificate when no aliases are given #29960
Comments
I believe as a work-around it is possible to proceed by using the escape hatches to manipulate the CloudFormation output:
|
@lexhl Good afternoon. Per link https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-move-create-target that you shared, it specifies to Thanks, |
Hi, the relevant instructions as per the article are as pasted below. You can see that you are required to first setup the distribution with the certificate but without the alias. The second step is to run the associate-alias command, which moves the alias. This command is only allowed to be run if you have already created a target distribution that has the correct certificate attached but does not have the alias already associated with it. This is the point of the CloudFront associate-alias command. This all works fine if done via the boto3 APIs or the web console. Only CDK blocks it -because CDK wrongly does not allow me to attach a certificate to a distribution that has no alias. If you attempt to create a distribution that has the same alias as an existing distribution then CloudFront will prevent that. Hence why the associate-alias command exists to allow for zero downtime migration of aliases from one distribution to another.
.... and ...
|
Hi @ashishdhingra I have had confirmation from AWS premium support that they have reproduced the issue and they also suggested a similar workaround that I suggested above of using the L1 constructs instead (which does work). However it would be nice if the L2 construct just allowed this use case as it is an important use case sometimes. Quote from AWS support:
|
Comments on closed issues and PRs are hard for our team to see. |
Comments on closed issues and PRs are hard for our team to see. |
…name between distributions (#31001) ### Issue # (if applicable) Closes #29960. ### Reason for this change When I want to move a domain name from a distribution to another distribution, I must create a distribution with a certificate associated but no domain names. ### Description of changes Re-submit of previous #29329. Removed the validation that `domainNames` must not be blank when a certificate is associated. ### Description of how you validated changes Updated a unit test to allow absent domainNames when a certificate is associated. See AWS Documentation for details: Using custom URLs by adding alternate domain names (CNAMEs) > Moving an alternate domain name to a different distribution https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-move ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…name between distributions (#31001) ### Issue # (if applicable) Closes #29960. ### Reason for this change When I want to move a domain name from a distribution to another distribution, I must create a distribution with a certificate associated but no domain names. ### Description of changes Re-submit of previous #29329. Removed the validation that `domainNames` must not be blank when a certificate is associated. ### Description of how you validated changes Updated a unit test to allow absent domainNames when a certificate is associated. See AWS Documentation for details: Using custom URLs by adding alternate domain names (CNAMEs) > Moving an alternate domain name to a different distribution https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-move ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the bug
Hi, I am trying to follow the instructions on how to move an alias from an existing alias from one CloudFront distribution to another. The instructions says that I need to set up the target distribution with a certificate that includes the alternative domain name that I want to move: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-move-create-target
However when I try to set up the distribution with the certificate but without the alternative domain names (as directed in the instructions) I run into an error 'Must specify at least one domain name to use a certificate with a distribution' generated I think from this like of code within CDK:
aws-cdk/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
Line 323 in 6fdc458
It seems that CDK prevents me from adding a certificate unless I have a domain name; but that means I cannot follow the process for moving an alias from an old distribution to a new one. I can create a distribution with a certificate and no alias if I use the aws web console to do it; so I think CDK is wrong with this validation.
Expected Behavior
CDK should allow me to create a cloudfront distribution that has an ACM certificate attached but no aliases
Current Behavior
CDK raises an error message
'Must specify at least one domain name to use a certificate with a distribution'
when I try to create a cloudfront distribution that has an ACM certificate attached but no aliasesReproduction Steps
Possible Solution
Remove the spurious validation check:
Additional Information/Context
No response
CDK CLI Version
2.137.0 (build bb90b4c)
Framework Version
No response
Node.js Version
v21.7.1
OS
Mac OS
Language
Python
Language Version
Python 3.11
Other information
No response
The text was updated successfully, but these errors were encountered: