How to Automate Provisioning of ACM Certificate using CloudFormation
In this quick post, you will learn to automate the provisioning of ACM Certificates using CloudFormation.
Since June 2020, AWS CloudFormation allows to request of a certificate including validation using DNS validation.
To be precise, Now you can use CloudFormation templates to perform all of the steps to validate your domain with DNS validation and issue your certificate.
First of all, Let’s understand ACM a little bit.
What is AWS Certificate Manager (ACM)?
ACM is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
These certificates can be used with AWS services and your internal connected resources such as ELB, CloudFront, API Gateway etc.
- When you request a certificate from ACM, You must be able to validate that you own the domain.
- It gives us two options to validate the domain.
- Email Validation: By clicking on a link in an email sent to the administrative contact of the domain
- DNS Validation: By adding a CNAME record in the route53 hosted zone
- In the automation process of the ACM certificate, DNS validation is used. Because obviously clicking a link in an email will be a manual process.
How to Automate Provisioning of ACM Certificate
Infrastructure as a code is cool. It gives us the flexibility to replicate our application environment with a click.
You will need an AWS::CertificateManager::Certificate resource to get a certificate. Check out more about this here.
In the below code snippet, we are automating the creation of an ACM Certificate using the CloudFormation template.
--- AWSTemplateFormatVersion: '2010-09-09' Parameters: DomainName: Description: "Domain for which you are requesting a cert" Type: String Default: example.com #Put your own domain name here HostedZoneId: Description: "hosted zone id in which CNAME record for the validation needs to be added" Type: String Default: XYZABCDERYH #Put the hosted zone id in which CNAME record for the validation needs to be added Resources: Certificate: Type: AWS::CertificateManager::Certificate Properties: DomainName: !Ref DomainName DomainValidationOptions: - DomainName: !Ref DomainName HostedZoneId: !Ref HostedZoneId ValidationMethod: 'DNS' Outputs: CertificateArn: Value: !Ref Certificate
If you create a CloudFormation stack using the above code snippet, your ready-to-use certificate is there for you and you can verify the same by going to ACM service.
Please note that usually, !Ref ResourceName gives the physical ID of the resource or the value of the parameter.
However, in the case of ACM cert, it gives us CertificateArn.
Note: If you use email validation, or if the domain is not hosted in Route 53, then the stack will remain in the
CREATE_IN_PROGRESS state until you validate the certificate request.
You can do so either by acting upon the instructions in the validation email, or by adding a CNAME record to your DNS configuration.
In this quick article, we learnt a bit about AWS Certificate Manager. We also learnt the automation of ACM certificate issuance using CloudFormation
I hope you liked my post.
You can motivate me and help me get better by –
- Adding a comment on this post on what you liked and what can be improved.
- Follow Cloudkatha on –
- Subscribe to our newsletter to get notified each time we post new content.
- Share this post with your friends and colleagues
Please please share your feedback and help us get better with time 🙂