How to Automate Provisioning of ACM Certificate using CloudFormation

How to Automate Provisioning of ACM Certificate using CloudFormation
Sharing is Caring:

In this quick post, you will learn to automate provisioning of ACM Certificate using CloudFormation.

Since June 2020, AWS CloudFormation allows to request a certificate including validation using DNS validation.

To be precise, Now you can use CloudFormation templates to perform all of the steps to validate your domain with DNS validation and issue your certificate.

First of all, Let’s understand ACM little bit.

What is AWS Certificate Manager (ACM)?

ACM is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS)  certificates.

These certificates can be used with AWS services and your internal connected resources such as ELB, CloudFront, API Gateway etc.

  • When you request for a certificate from ACM, You must be able to validate that you own the domain.
  • It gives us two options to validate the domain.
    • Email Validation : By clicking on a link in email sent to administrative contact of domain
    • DNS Validation : By adding a CNAME record in the route53 hosted zone
  • In the automation process of ACM certificate, DNS validation is used. Because obviously clicking a link in email will be manual process.

How to Automate Provisioning of ACM Certificate

Infrastructure as a code is cool. It gives us flexibility to replicate our application environment in a click.

You will need a AWS::CertificateManager::Certificate resource to get a certificate. Checkout more about this here.

In the below code snippet, we are automating creation of ACM Certificate using CloudFormation template.

---
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  DomainName:
    Description: "Domain for which you are requesting a cert"
    Type: String
    Default: example.com #Put your own domain name here
  HostedZoneId:
    Description: "hosted zone id in which CNAME record for the validation needs to be added"
    Type: String
    Default: XYZABCDERYH #Put the hosted zone id in which CNAME record for the validation needs to be added

Resources:
  Certificate:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName: !Ref DomainName
      DomainValidationOptions:
        - DomainName: !Ref DomainName
          HostedZoneId: !Ref HostedZoneId
      ValidationMethod: 'DNS'
Outputs:
  CertificateArn:
    Value: !Ref Certificate
  

If you create a CloudFormation stack using above code snippet, your ready to use certificate is there for you and you can verify the same by going to ACM service.

Please note that usually !Ref ResourceName gives the physical ID of the resource or the value of the parameter.

However in case of ACM cert it gives us CertificateArn.

Note: If you use email validation, or if the domain is not hosted in Route 53, then the stack will remain in the CREATE_IN_PROGRESS state until you validate the certificate request.

You can do so either by acting upon the instructions in the validation email, or by adding a CNAME record to your DNS configuration. 

Conclusion:

In this quick article we learnt a bit about AWS Certificate manager. We also learnt the automation of ACM certificate issuance using CloudFormation

I hope you liked my post.

You can motivate me and help me get better by –

  • Adding a comment on this post on what you liked and what can be improved.
  • Follow Cloudkatha on –
  • Subscribe to our newsletter to get notified each time we post new content.
  • Share this post with your friends and colleagues

Please please share your feedback and help us get better with time 🙂

Also Read:

Sharing is Caring:

5 thoughts on “How to Automate Provisioning of ACM Certificate using CloudFormation

Leave a Reply

Your email address will not be published. Required fields are marked *