Merge pull request #912 from RenovoSolutions/DEVOPS-1860

feat: add support for configuring key type (RSA vs ECDSA).
RenovoSolutions · Sep 18, 2024 · 1ee9d5d · 1ee9d5d
2 parents 15c6a28 + 05bf6bf
commit 1ee9d5d
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 2 deletions.
diff --git a/API.md b/API.md
diff --git a/function/src/index.py b/function/src/index.py
@@ -89,14 +89,15 @@ def read_and_delete_file(path, filename, storage_method):
   else:
     print(f'WARN: Dry run was used so {filename} was not generated.')
 
-def provision_cert(email, domains, storage_method):
+def provision_cert(email, domains, storage_method, keytype):
   cerbot_args = [
     'certonly',                             # Obtain a cert but don't install it
     '-n',                                   # Run in non-interactive mode
     '--agree-tos',                          # Agree to the terms of service,
     '--email', email,                       # Email
     '--dns-route53',                        # Use dns challenge with route53
     '-d', domains,                          # Domains to provision certs for
+    '--key-type', keytype,                  # Key type
     # Override directory paths so script doesn't have to be run as root
     '--config-dir', '/tmp/config-dir/',
     '--work-dir', '/tmp/work-dir/',
@@ -204,6 +205,7 @@ def handler(event, context):
   print("CERTIFICATE_STORAGE: " + storage_method)
   print("LETSENCRYPT_DOMAINS: " + os.environ['LETSENCRYPT_DOMAINS'])
   print("LETSENCRYPT_EMAIL: " + os.environ['LETSENCRYPT_EMAIL'])
+  print("KEY_TYPE: " + os.environ['KEY_TYPE'])
   print("PREFERRED_CHAIN: " + os.environ['PREFERRED_CHAIN'])
   print("DRY_RUN: " + os.environ['DRY_RUN'])
 
@@ -224,7 +226,7 @@ def handler(event, context):
 
   domains = os.environ['LETSENCRYPT_DOMAINS']
   if should_provision(domains):
-    cert = provision_cert(os.environ['LETSENCRYPT_EMAIL'], domains, storage_method)
+    cert = provision_cert(os.environ['LETSENCRYPT_EMAIL'], domains, storage_method, os.environ['KEY_TYPE'])
     if not os.getenv("DRY_RUN", 'False').lower() in ["true", "1"]:
       upload_cert_to_acm(cert, domains)
       notify_via_sns(os.environ['NOTIFICATION_SNS_ARN'], domains, cert['certificate'])

diff --git a/src/index.ts b/src/index.ts
@@ -85,6 +85,12 @@ export interface CertbotProps {
    * @default 'None'
    */
   readonly preferredChain?: string;
+  /**
+   * Set the key type for the certificate.
+   *
+   * @default 'ecdsa'
+   */
+  readonly keyType?: string;
   /**
    * The SNS topic to notify when a new cert is issued. If no topic is given one will be created automatically.
    */
@@ -265,6 +271,7 @@ export class Certbot extends Construct {
         OBJECT_PREFIX: props.objectPrefix || '',
         REISSUE_DAYS: (props.reIssueDays === undefined) ? '30' : String(props.reIssueDays),
         PREFERRED_CHAIN: props.preferredChain || 'None',
+        KEY_TYPE: props.keyType || 'ecdsa',
         NOTIFICATION_SNS_ARN: snsTopic.topicArn,
         DRY_RUN: 'False',
       },

diff --git a/test/__snapshots__/certbot.test.ts.snap b/test/__snapshots__/certbot.test.ts.snap