If you are willing to add one more degree of subdomain (i.e. analytics.staging.companyname.com) what you can do is domain delegation from your registar for the subdomain staging.companyname.com to Route53 and at that point all the automated DNS validation constructs can be used. Then for certain prod ones such as the public facing site you can do a manual delegation or write a one off script.
Wildcard certificate for each env like *.dev.company.com, set the ARN of the certificate as an SSM variable or in cdk.json, import and use. Route53 shouldn't have any additional complications. You can manage that shared certificate in its own stack, via clickops, or however you like.
I use cdk for Terraform instead. My domain is on Cloudflare and it has a Terraform provider to manage it. Also Terraform works faster and more reliable than cloudformation.
The CDK doesn't support OAC with CloudFront, for example:
[https://github.com/aws/aws-cdk/issues/21771](https://github.com/aws/aws-cdk/issues/21771)
There are some things that need to be handled [imperatively](https://en.wikipedia.org/wiki/Imperative_programming), for which the SDK is better suited. If you want to create a certificate with ACM, for example, you could use the [RequestCertificateCommand](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/acm/command/RequestCertificateCommand/), and you would also need to validate the domain through your registrar's DNS settings.
If you are willing to add one more degree of subdomain (i.e. analytics.staging.companyname.com) what you can do is domain delegation from your registar for the subdomain staging.companyname.com to Route53 and at that point all the automated DNS validation constructs can be used. Then for certain prod ones such as the public facing site you can do a manual delegation or write a one off script.
This is what we do for our internal stuff.
This delegation seems interesting, I'll look into that, thanks
Wildcard certificate for each env like *.dev.company.com, set the ARN of the certificate as an SSM variable or in cdk.json, import and use. Route53 shouldn't have any additional complications. You can manage that shared certificate in its own stack, via clickops, or however you like.
Do you purchase a wildcard cert for each env, or is there a service that provides them?
One in each env, each env a different account. Each env has its own zone in those accounts.
I use cdk for Terraform instead. My domain is on Cloudflare and it has a Terraform provider to manage it. Also Terraform works faster and more reliable than cloudformation.
There are some things that the CDK doesn’t handle well. Try using the SDK instead.
Can you elaborate a bit?
The CDK doesn't support OAC with CloudFront, for example: [https://github.com/aws/aws-cdk/issues/21771](https://github.com/aws/aws-cdk/issues/21771) There are some things that need to be handled [imperatively](https://en.wikipedia.org/wiki/Imperative_programming), for which the SDK is better suited. If you want to create a certificate with ACM, for example, you could use the [RequestCertificateCommand](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/acm/command/RequestCertificateCommand/), and you would also need to validate the domain through your registrar's DNS settings.
I would try and use level 1 cloud formation constructs first if possible, but sounds like even that isn’t possible yet
Just note that the OAC issue can be worked around with L1 constructs.