I'm trying to automate the creation of an ACM certificate for my domain in CloudFormation as part of my static site stack. This is a nested stack in the us-east-1 region since the certificate will be used for CloudFront. Here's what I've set up: I'm using DNS validation for an ACM certificate that includes a wildcard SAN for my domain. I've checked that the hosted zone is public, only one hosted zone exists for my domain, and the NS records match what my domain registrar uses. I've also confirmed there's no existing CNAME record in Route 53. Despite all this, every deployment fails with the error stating that the ACM certificate was not successfully created, and it seems like CloudFormation is attempting to create a validation record that Route 53 rejects for some unknown reason. Any insights on how to resolve this?
1 Answer
From a quick look, your template seems fine. One thing you should check is the IAM permissions for the role used by CloudFormation. It needs write access to your hosted zone among other permissions. Also, have you tested if your hosted zone is working correctly? Try adding a dummy record and see if you can resolve it from a public network. If you're still having issues, take a look at the logs in CloudTrail to identify where the failure might be happening.
So just to clarify, does CloudFormation really need IAM permissions even if I can create a certificate through the dashboard? In that case, my hosted zone works fine when I set everything up manually, but the IaC method is giving me errors.