minimum timeout for validating dnsvalidatedcertificates.

[elhedran]

🚀 Feature Request

General Information

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

Description

I'm finding that my DNS validated certificates are passing validation, about 20 seconds after the CDK code gives up on its sixth attempt.

` let record;
const maxAttempts = 6;
for (let attempt = 0; attempt < maxAttempts - 1 && !record; attempt++) {
const { Certificate } = await acm.describeCertificate({
CertificateArn: reqCertResponse.CertificateArn
}).promise();
const options = Certificate.DomainValidationOptions || [];

if (options.length > 0 && options[0].ResourceRecord) {
  record = options[0].ResourceRecord;
} else {
  // Exponential backoff with jitter based on 200ms base
  await sleep(Math.random() * (Math.pow(2, attempt) * 200));
}

}`

Basically I see this in my console:
8/10 | 3:36:35 PM | CREATE_FAILED | AWS::CloudFormation::CustomResource | mapCertificate/CertificateRequestorResource/Default (mapCertificateCertificateRequestorResource0BCE5E02) Failed to create resource. Response from describeCertificate did not contain DomainValidationOptions after 6 attempts.

and a bit later see the cert validate in the aws console.

Proposed Solution

If I could just add a property to the dns validator asking it to be a little more patient (maybe my aws region is just slower?) that would solve the issue. If my math is correct the max total wait is only 12.6 seconds. 30 seconds seems average for me in the console for my region.

even being able to adjust attempts would help.

Environment

• CDK CLI Version: 1.6.1
• Module Version: 1.6.1
• OS: Windows 10
• Language: TypeScript

[hoegertn]

I had this issue too, but it seems I forgot to create a PR. I would just increase the maxAttempts.

[elhedran]

same thing in terraform (for timeout comparison)

aws_acm_certificate.cert: Creating...
aws_acm_certificate.cert: Creation complete after 7s [id=arn:aws:acm:ap-southeast-2:107883196108:certificate/a28d773d-aee8-48ac-9c35-5a5e8c9e3850]
aws_route53_record.cert_validation: Creating...
aws_route53_record.cert_validation: Still creating... [10s elapsed]
aws_route53_record.cert_validation: Still creating... [20s elapsed]
aws_route53_record.cert_validation: Still creating... [30s elapsed]
aws_route53_record.cert_validation: Creation complete after 36s [id=Z1IQ4278V5FG38__4cea5d104fd9ebe46379b94991121dca.iantest.dev.authz.fugro.com._CNAME]
aws_acm_certificate_validation.cert: Creating...
aws_acm_certificate_validation.cert: Still creating... [10s elapsed]
aws_acm_certificate_validation.cert: Still creating... [20s elapsed]
aws_acm_certificate_validation.cert: Still creating... [30s elapsed]
aws_acm_certificate_validation.cert: Still creating... [40s elapsed]
aws_acm_certificate_validation.cert: Still creating... [50s elapsed]
aws_acm_certificate_validation.cert: Still creating... [1m0s elapsed]
aws_acm_certificate_validation.cert: Still creating... [1m10s elapsed]
aws_acm_certificate_validation.cert: Creation complete after 1m19s [id=2019-09-03 06:40:49 +0000 UTC]

[elhedran]

I had this issue too, but it seems I forgot to create a PR. I would just increase the maxAttempts.

It really shouldn't be maxAttempts though, If I know it often takes over a minute, I need to ask it to always wait at least that long, otherwise if the random() doesn't go in my favor, deployments will randomly fail when they really shouldn't.