By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

W/ CDK, how to maintain Route53 alias up-to-date when the AWS-managed CloudFront distribution for a Cognito custom domain changes?

0

A few weeks ago, I updated my CDK stack to access Cognito via a custom URL (details in https://repost.aws/questions/QUe6Vdvu1HRtWhPgGwOx69SQ).

Last week, after a deployment, the alias https://auth.develop.mogaland.io stopped responding and it's only after a visit to the AWS console that I noticed the AWS-managed CloudFront distribution changed! I manually updated the Route53 record for the alias to point to the new distribution.

Once the domain is added, I can only get the cloudFrontDomainName from the result of the user.PooladdDomain() function. The cloudFrontDistributionId is not available... And w/o that distribution identifier, I can't expect to create A and AAAA alias later records to adjust the custom domain with the updated distribution...

// Add the custom domain to the user pool
const certificate = Certificate.fromCertificateArn(this, 'domainCert', props.acmCertificateARN);
const userPoolDomain = this.userPool.addDomain('Custom Domain', {
    customDomain: {
        domainName: `auth.${props.stageName}.mogaland.io`,
        certificate,
    },
});

// Get the reference of AWS-managed CloudFront distribution
const awsManagedDistribution = Distribution.fromDistributionAttributes(this, 'AWS Managed Distribution', {
    domainName: userPoolDomain.cloudFrontDomainName,
    // distributionId: ???, // <= w/o the distributionId, I can't later update the alias records
});

// Get the Route53 hosted zone
const hostedZone = HostedZone.fromHostedZoneAttributes(this, 'Hosted Zone', {
    hostedZoneId: props.hostedZoneId, // some value like 'Z' plus 20 characters
    zoneName: `${props.stageName}.mogaland.io`,
});

// Update the A and AAAA records (update b/c of deletion before creation)
new ARecord(this, 'aliasRecord', {
    zone: hostedZone,
    recordName: 'auth',
    deleteExisting: true,
    target: RecordTarget.fromAlias(new CloudFrontTarget(awsManagedDistribution)),
});
new AaaaRecord(this, 'aaaAliasRecord', {
    zone: hostedZone,
    recordName: 'auth',
    deleteExisting: true,
    target: RecordTarget.fromAlias(new CloudFrontTarget(awsManagedDistribution)),
});

Maybe there's another way to get the reference of the AWS-managed CloudFront distribution?

Topics
Security, Identity, & ComplianceNetworking & Content DeliveryAWS Cloud Development Kit (CDK)
Tags
Amazon CognitoAmazon CloudFrontAmazon Route 53AWS Cloud Development Kit (CDK)
Language
English
Dom_D
asked a month ago348 views
1 Answer
2

There is a special class UserPoolDomainTarget[1] for creating Route53 alias records for Cognito User Pool domains. Try updating your targets for the Route53 alias records to use that class rather than CloudFrontTarget. As an example, an updated version of the last two resources could look like the following:

// Update the A and AAAA records (update b/c of deletion before creation)
new ARecord(this, 'aliasRecord', {
    zone: hostedZone,
    recordName: 'auth',
    deleteExisting: true,
    target: RecordTarget.fromAlias(new UserPoolDomainTarget(userPoolDomain)),
});
new AaaaRecord(this, 'aaaAliasRecord', {
    zone: hostedZone,
    recordName: 'auth',
    deleteExisting: true,
    target: RecordTarget.fromAlias(new UserPoolDomainTarget(userPoolDomain)),
});

[1] https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_route53_targets.UserPoolDomainTarget.html

profile pictureAWS
Sean Nixon
answered a month ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content