Auto-Renewable Certificates for AI Application Domains on ACM

Question

Pulumi · Accepted Answer

To set up auto-renewable certificates for your AI application domains using AWS Certificate Manager (ACM), you'll need to request a certificate and then validate that you own or control the domains listed in the certificate request. When you request a certificate, ACM tries to renew the certificate before it expires, as long as the certificate is in use and your domain validation records remain in place.

Below is a Pulumi program in Python that demonstrates how to create an auto-renewable certificate with AWS Certificate Manager (ACM). This program will:

1. Create an ACM certificate for your domain.
2. Set up DNS validation for the certificate. This example assumes you are using a Route53 hosted zone for DNS.
3. Automatically validate the certificate by creating the necessary DNS records in your Route53 hosted zone.

Please replace `"my-app.com"` and `"www.my-app.com"` with your domain and subdomain, and `HOSTED_ZONE_ID` with your actual Route53 hosted zone ID. The comments in the code will guide you through the process.

```python
import pulumi
import pulumi_aws as aws

# Replace these with your domain name and hosted zone ID
domain_name = "my-app.com"
subdomain_name = "www.my-app.com"
hosted_zone_id = "HOSTED_ZONE_ID"

# Request a certificate for your domain
cert = aws.acm.Certificate("myDomainCert",
                           domain_name=domain_name,
                           validation_method="DNS",
                           subject_alternative_names=[subdomain_name],
                           tags={
                               "Name": "myDomainCert"
                           })

# Get the Route53 Hosted Zone by the given zone ID
hosted_zone = pulumi.Output.all(hosted_zone_id).apply(lambda args: aws.route53.get_zone(id=args[0]))

# Create the necessary DNS records to validate our domain and thus prove to ACM that we own the domain
def create_dns_record(args):
    domain, validation_record = args
    return aws.route53.Record(f"{domain}_validation",
                              name=validation_record.domain_name,
                              type=validation_record.record_type,
                              zone_id=hosted_zone.id,
                              records=[validation_record.record_value],
                              ttl=60)

# Loop over each challenge DNS record provided by the ACM certificate and create corresponding DNS records in Route53
validation_records = pulumi.Output.all( cert.domain_validation_options.apply(lambda o: o[0])).apply(create_dns_record)

# Wait for the ACM certificate to be validated upon DNS record propagation
certificate_validation = aws.acm.CertificateValidation("certValidation",
                                                       certificate_arn=cert.arn,
                                                       validation_record_fqdns=validation_records.apply(lambda records: [record.fqdn]))

# Finally, export the ARN of the validated certificate, which you can then use to set up resources like HTTPS listeners or CloudFront distributions
pulumi.export("certificate_arn", certificate_validation.certificate_arn)
```

This program defines three fundamental resources:

- **ACM Certificate**: This initiates the certificate request for your domain with ACM and specifies DNS validation.
- **DNS Validation Records**: To automate domain validation, DNS records are created in Route53 based on the details provided by ACM. This proves you control the domain.
- **Certificate Validation**: This resource is