[aws-certificatemanager] Create certificate in us-east-1 and use it in a different region

[dbartholomae]

❓ General Issue

The Question

I'm currently setting up AWS Cognito with a custom domain via AWS CDK. Our stack lives in eu-central-1, but as I understand the certificate for the custom domain has to live in us-east-1. How can I share the certificate to the AWS Cognito setup?

Environment

• CDK CLI Version: 1.54.0
• Module Version: 1.54.0
• Node.js Version: v12.16.0
• OS: Windows 10
• Language (Version): TypeScript (3.9.7)

Other information

There's a discussion around this already which indicates there might not be a solution to this?

[njlynch]

Hi @dbartholomae,

You generally have two different options for using a certificate cross-region.

1. Create a dedicated stack for the certificate in us-east-1, and import the certificate in your Cognito stack (in eu-central-1).

2. Use the DnsValidatedCertificate construct in your Cognito stack, which is a custom resource that can request a certificate cross-region.

Let me know if that helps!

[dbartholomae]

Thanks for the answer! It is good to know that DnsValidatedCertificate is able to request cross-region. Unfortunately the domain in question is not managed by Route53.
For 1: How would I do this import in CDK, given that both stacks are defined in CDK? Do I need to change the CI setup to run multiple times for multiple stacks and somehow pass around the result from one call to the other?

[njlynch]

If you already have a Certificate created and defined, you can skip the second stack and just import it directly in your Cognito stack.

const certificate = acm.Certificate.fromCertificateArn(this, 'MyImportedCert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123...');

If you are creating the certificate in one stack (and validating via email or manually with another DNS provider), then you can pass a reference from one stack to another. Something like this:

class MyCertStack extends cdk.Stack {
  public readonly certificate: acm.Certificate;

  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    certificate = new acm.Certificate(...);
  }
}

interface MyCognitoStackProps extends cdk.StackProps {
  certificate: acm.Certificate;
}

class MyCognitoStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props: MyCognitoStackProps) {
    const certificate = props.certificate;
    // Define your Cognito pool here, using the above certificate
  }
}

const certStack = new MyCertificateStack(app, 'MyCerts');
new MyCognitoStack(app, 'MyCognito', { certificate: certStack.certificate });

[dbartholomae]

I'm trying the second solution, but so far I always get a cross-stack reference error because the certificate is in us-east-1, but the other stack in eu-central-1.

[njlynch]

Ah, that's correct. Sorry for the misinformation earlier.

Unfortunately, we currently only support cross-environment (region/account) references in instances where we can assign the physical names to the resources; in cases like certificates, where there is only the ARN, we don't currently have a solution.

See #8232 (comment) for one work-around suggestion of creating a custom resource to do the heavy lifting for you. It looks like there are various community-owned solutions to this; I found https://www.npmjs.com/package/@henrist/cdk-cross-region-params as one example. I haven't tested this and can't support it, but it looks like it could be used to pass the certificate ARN cross-stack. YMMV. :)

[dbartholomae]

Thanks! Using SSM is actually quite a smart solution. I'll look deeper into it.

[robertofd1995]

Did aws cdk added officially support for this? I am also struggling with the same problem.