AWS Certificate Manager is a great service that eases the creation and renewal of certificates. After you request a certificate, it allows you two ways to prove that you own the domain. Either by clicking on an email sent to the administrative contact of the domain or by updating a record in DNS.
As we aim to automate the entire process, email validation method is not an option. It requires a human to click on a link. Validating through DNS is the way to go.
Since, June 2020 CloudFormation AWS::CertificateManager::Certificate allows you to specify the Route53 hosted zone, in which to insert the validation records.
How do I automate the provisioning of ACM certificates?
You can automate the provisioning of ACM certificates with DNS with a single resource. Below you see the required AWS::CertificateManager::Certificate resource:
Certificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: !Ref DomainName
ValidationMethod: DNS
DomainValidationOptions:
- DomainName: !Ref DomainName
HostedZoneId: !Ref HostedZoneId
This will create the required DNS validation records for the domain in the specified route53 hosted zone.
Conclusion
With the newly provided support, you can automate the provisioning of AWS certificates through DNS. The trusty old custom provider cfn-certificate-provider which have been providing this functionality since October 2018, can now retire.
Got to here? You probably also like deploying secrets and deploying private key pairs with CloudFormation.