https://serverless-stack.com/ logo
Join Slack
Powered by
Looks like SST/CDK is creating a bunch of CName re...
# sst
a
Looks like SST/CDK is creating a bunch of CName records on Route 53 for stage-subdomains, like, for each PR or developers’ stage. Is there a way to clean this from CDK/SST?
t
Those are created to verify the domain ownership for generating an SSL cert. I'm surprised it doesn't get deleted when the stack is deleted 😦
a
Yeah.
Are yours cleaned?
t
I'm not using custom domains anywhere but staging or prod but let me test this out
a
Ok cool, thank you for checking.
These cnames should be created and used only once right? once is verified, is never used again?
Once the custom domain is created I mean, no need to verify anything.
b
yeah, r53 verification records don’t really get cleaned up in my experience, my primary zone is just flooded with them. More recently I started created sub-domain zones, so at least it’s segregated and easier to audit by hand.
so like 
<http://mycompany.com|mycompany.com>
<http://us-east-1.mycompany.com|us-east-1.mycompany.com>
or 
<http://team-name.mycompany.com|team-name.mycompany.com>
a
Interesting.
b
(create a new zone with desired sub-domain, and then copy the NS record from sub-domain zone - and create a NS record in primary domain zone pointing to those name servers)
a
I have one zone for each “environment”, which is also a different account, so not much worry… but still I hate having all that crap.
b
yeah exactly, I don’t have a way to easily get rid of crap, but at least isolating makes me feel better lol
a
Yeah, is weird thought.
If this is intentional or just a bug.
b
I think that a) verification records can be re-used (so after deleting cert, and if it comes back, verification re-uses)
b) no idea if you can delete after it’s verified (I imagine yes, but haven’t tested)
a
Hum yeah, wish we can configure a policy somewhere.
b
given AWS CLI/SDK capabilities - I imagine you could programmatically clear out these records, they are pretty easily identified (which was my thought if I really wanted to clear them out)
a
Yeah, but I’m using high level constructs from SST, so not that easy, haha.
Well maybe I can do a cleanup function or something.
b
the newly offered Script construct would be good for this sort of thing
aws-sdk
inside, reads your zone, parses records, filters for verifications, and clears out what you want.
a
Interesting.
b
the Script construct might be the most underrated part of SST - it’s a very common issue/limitation of Cloudformation (as compared to Terraform). Cloudformation doesn’t easily let you interrogate deployed resources (let alone interact with them, like creating MySQL users/tables)
t
^ I'm realizing this too
can rig up all non-aws services with it
a
I didn’t realize this yet, but going to check it 😂 .
@Frank do you have any comment on this?
f
Hmm yeah… might be doable i think. If we can get the DNS validation record name, set that as 
Params
to the 
Script
construct, and clean it up 
onRemove
. 😁
a
Yeah maybe that’s the way.
f
a
I mean, I was expecting to be removed automatically.
😮
😮 😮 😮
2019 🤦‍♂️
Open in Slack
PreviousNext
Powered by