aws_certificatemanager: new Certificate fails in eu-central-1

[globus243]

Describe the bug

I am deploying a static website hosted in S3 with a CloudFront Distribution, hier ist the relavant part:

 const distribution = new Distribution( this, 'Distribution', {
            defaultBehavior: {
                origin: new S3Origin( siteBucket, {
                    originAccessIdentity: pageOai,
                } ),
                viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
                allowedMethods: AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
                compress: true,
                functionAssociations: [ {
                    eventType: cloudfront.FunctionEventType.VIEWER_REQUEST,
                    function: new cloudfront.Function( this, 'redirectToIndex', {
                        code: cloudfront.FunctionCode.fromInline( `
                            function handler(event) {
                                var request = event.request;
                                if (request.uri !== "/" && (request.uri.endsWith("/") || request.uri.lastIndexOf(".") < request.uri.lastIndexOf("/"))) {
                                    if (request.uri.endsWith("/")) {
                                        request.uri = request.uri.concat("index.html");
                                    } else {
                                        request.uri = request.uri.concat("/index.html");
                                    }
                                }
                                return request;
                            }
                        ` ),
                    } ),
                } ]
            },
            defaultRootObject: "index.html",
            errorResponses: [ {
                httpStatus: 404,
                responseHttpStatus: 404,
                responsePagePath: "/index.html",
                ttl: cdk.Duration.seconds( 0 ),
            } ],
            domainNames: [ siteDomain, "www." + siteDomain ],
            certificate: new aws_certificatemanager.Certificate( this, 'Certificate', {
                domainName: siteDomain,
                subjectAlternativeNames: [ "www." + siteDomain ],
                validation: aws_certificatemanager.CertificateValidation.fromDns( hostedZone ),
            } )
        } )

the deployment into eu-central-1 fails with the following log messages in CloudFormation

When I replace the certificate part with the depricated DnsValidatedCertificate:

            certificate: new aws_certificatemanager.DnsValidatedCertificate( this, 'Certificate', {
                domainName: siteDomain,
                hostedZone: hostedZone,
                subjectAlternativeNames: [ "www." + siteDomain ],
                region: 'us-east-1', // Cloudfront only checks this region for certificates.
            } )

it deploys without problems.

I have not tried to deploy this exact stack into other regions.

Expected Behavior

It should create the certificate using my Hosted Zone and create the distribution without problem.

Current Behavior

deployment fails because of what looks like an issue when creating the cert see log: "Content of DNS Record is: null".

Reproduction Steps

create a stack with above distribution and make sure it's deployed to eu-central-1

npm run build
cdk synth
cdk deploy

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.103.1 (build 3bb19ac)

Framework Version

2.103.1 (build 3bb19ac)

Node.js Version

18

OS

Windows

Language

TypeScript

Language Version

TypeScript (5.2.2)

Other information

No response

[pahud]

When you run this in eu-central-1, I think the certificate still has to be in us-east-1.

If not, I guess you will need to first create that in a separate stack in us-east-1 and export the ARN for this stack to import.

certificate: new aws_certificatemanager.Certificate( this, 'Certificate', {
                domainName: siteDomain,
                subjectAlternativeNames: [ "www." + siteDomain ],
                validation: aws_certificatemanager.CertificateValidation.fromDns( hostedZone ),
            } )

[globus243]

you will need to first create that in a separate stack in us-east-1 and export the ARN for this stack to import

Thats what seems to be the solution for this.
Though that does not sound like a customer obessed solution for me: Replacing a working, (for customers) region-agnostic Construct with something that a) requires additional knowledge which is currently not well documented and b) makes deployment of a simple single-page, or static-page application a multi-stack and multi-region endavour.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[globus243]

sorry, accidentally closed the issue. Problem still persists.

[gshpychka]

See #25343

[globus243]

All right, thanks! Since this is clearly not a bug, but desired behavior, I will close this issue.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.