From de6a0432f4d48cc364e08745105a6d279efd2081 Mon Sep 17 00:00:00 2001 From: longtv2222 Date: Sat, 6 Jan 2024 00:42:25 -0700 Subject: [PATCH 01/13] feat: add support for key algorithm for private certificate --- .../aws-certificatemanager/lib/certificate.ts | 24 +++++++++ .../lib/private-certificate.ts | 10 +++- .../test/private-certificate.test.ts | 50 ++++++++++++++++++- 3 files changed, 81 insertions(+), 3 deletions(-) diff --git a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts index 37b5eb55b3511..24b6255f02c4f 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts @@ -103,6 +103,30 @@ export interface CertificateProps { readonly certificateName?: string } +export class KeyAlgorithm { + /** + * RSA_2048 algorithm + */ + public static readonly RSA_2048 = new KeyAlgorithm("RSA_2048"); + + /** + * EC_prime256v1 algorithm + */ + public static readonly EC_PRIME256V1 = new KeyAlgorithm("EC_prime256v1"); + + /** + * EC_secp384r1 algorithm + */ + public static readonly EC_SECP384R1 = new KeyAlgorithm("EC_secp384r1"); + + constructor( + /** + * The name of the algorithm + */ + public readonly name: string + ) { }; +} + /** * Properties for certificate validation */ diff --git a/packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts b/packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts index 78ddbf849f3fe..dc518f5d9e7d6 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts @@ -1,5 +1,5 @@ import { Construct } from 'constructs'; -import { ICertificate } from './certificate'; +import { ICertificate, KeyAlgorithm } from './certificate'; import { CertificateBase } from './certificate-base'; import { CfnCertificate } from './certificatemanager.generated'; import * as acmpca from '../../aws-acmpca'; @@ -28,6 +28,13 @@ export interface PrivateCertificateProps { * Private certificate authority (CA) that will be used to issue the certificate. */ readonly certificateAuthority: acmpca.ICertificateAuthority; + + /** + * Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. + * + * @default KeyAlgorithm.RSA_2048 + */ + readonly keyAlgorithm?: KeyAlgorithm; } /** @@ -59,6 +66,7 @@ export class PrivateCertificate extends CertificateBase implements ICertificate domainName: props.domainName, subjectAlternativeNames: props.subjectAlternativeNames, certificateAuthorityArn: props.certificateAuthority.certificateAuthorityArn, + keyAlgorithm: props.keyAlgorithm?.name, }); this.certificateArn = cert.ref; diff --git a/packages/aws-cdk-lib/aws-certificatemanager/test/private-certificate.test.ts b/packages/aws-cdk-lib/aws-certificatemanager/test/private-certificate.test.ts index 550d26eb89515..24db7173368ed 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/test/private-certificate.test.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/test/private-certificate.test.ts @@ -1,7 +1,7 @@ -import { Template } from '../../assertions'; +import { Match, Template } from '../../assertions'; import * as acmpca from '../../aws-acmpca'; import { Duration, Lazy, Stack } from '../../core'; -import { PrivateCertificate } from '../lib'; +import { KeyAlgorithm, PrivateCertificate } from '../lib'; test('private certificate authority', () => { const stack = new Stack(); @@ -100,3 +100,49 @@ test('metricDaysToExpiry', () => { renderingProperties: expect.anything(), }); }); + +describe('Key Algorithm', () => { + test('key algorithm is undefined if not provided', () => { + const stack = new Stack(); + + new PrivateCertificate(stack, 'Certificate', { + domainName: 'test.example.com', + certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA', + 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'), + }); + + Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', { + KeyAlgorithm: Match.absent(), + }); + }); + + test('Can specify algorithm', () => { + const stack = new Stack(); + + new PrivateCertificate(stack, 'Certificate', { + domainName: 'test.example.com', + certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA', + 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'), + keyAlgorithm: KeyAlgorithm.EC_SECP384R1 + }); + + Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', { + KeyAlgorithm: 'EC_secp384r1', + }); + }); + + test('Can specify any arbitrary algorithm', () => { + const stack = new Stack(); + + new PrivateCertificate(stack, 'Certificate', { + domainName: 'test.example.com', + certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA', + 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'), + keyAlgorithm: new KeyAlgorithm("any value"), + }); + + Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', { + KeyAlgorithm: 'any value', + }); + }); +}); From 28b63fccbb744b2eebb1642f18f4db347d4cc4f9 Mon Sep 17 00:00:00 2001 From: longtv2222 Date: Sat, 6 Jan 2024 00:49:55 -0700 Subject: [PATCH 02/13] docs: add comments for KeyAlgorithm class --- .../aws-cdk-lib/aws-certificatemanager/lib/certificate.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts index 24b6255f02c4f..2106a30acb7b1 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts @@ -103,6 +103,12 @@ export interface CertificateProps { readonly certificateName?: string } +/** + * Certificate Manager key algorithm + * + * If you need to use an algorithm that doesn't exist as a static member, you + * can instantiate a `KeyAlgorithm` object, e.g: `new KeyAlgorithm('RSA_2048')`. + */ export class KeyAlgorithm { /** * RSA_2048 algorithm From bf6fbbb85bd148086c132e0f8b247a59e04046e3 Mon Sep 17 00:00:00 2001 From: longtv2222 Date: Sat, 6 Jan 2024 00:56:29 -0700 Subject: [PATCH 03/13] docs: update README.md --- packages/aws-cdk-lib/aws-certificatemanager/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/aws-cdk-lib/aws-certificatemanager/README.md b/packages/aws-cdk-lib/aws-certificatemanager/README.md index 5c20e8fae88dd..e088b52e186fb 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/README.md +++ b/packages/aws-cdk-lib/aws-certificatemanager/README.md @@ -142,6 +142,7 @@ new acm.PrivateCertificate(this, 'PrivateCertificate', { subjectAlternativeNames: ['cool.example.com', 'test.example.net'], // optional certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(this, 'CA', 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'), + keyAlgorithm: acm.KeyAlgorithm.RSA_2048 // optional, default algorithm is RSA_2048 }); ``` From fcc23d232e05639d558518f949848791809d2c39 Mon Sep 17 00:00:00 2001 From: longtv2222 Date: Sat, 6 Jan 2024 01:10:15 -0700 Subject: [PATCH 04/13] fix: lint --- .../aws-cdk-lib/aws-certificatemanager/lib/certificate.ts | 8 ++++---- .../test/private-certificate.test.ts | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts index 2106a30acb7b1..607d1afb588de 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts @@ -113,23 +113,23 @@ export class KeyAlgorithm { /** * RSA_2048 algorithm */ - public static readonly RSA_2048 = new KeyAlgorithm("RSA_2048"); + public static readonly RSA_2048 = new KeyAlgorithm('RSA_2048'); /** * EC_prime256v1 algorithm */ - public static readonly EC_PRIME256V1 = new KeyAlgorithm("EC_prime256v1"); + public static readonly EC_PRIME256V1 = new KeyAlgorithm('EC_prime256v1'); /** * EC_secp384r1 algorithm */ - public static readonly EC_SECP384R1 = new KeyAlgorithm("EC_secp384r1"); + public static readonly EC_SECP384R1 = new KeyAlgorithm('EC_secp384r1'); constructor( /** * The name of the algorithm */ - public readonly name: string + public readonly name: string, ) { }; } diff --git a/packages/aws-cdk-lib/aws-certificatemanager/test/private-certificate.test.ts b/packages/aws-cdk-lib/aws-certificatemanager/test/private-certificate.test.ts index 24db7173368ed..75df50ea7b078 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/test/private-certificate.test.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/test/private-certificate.test.ts @@ -123,7 +123,7 @@ describe('Key Algorithm', () => { domainName: 'test.example.com', certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA', 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'), - keyAlgorithm: KeyAlgorithm.EC_SECP384R1 + keyAlgorithm: KeyAlgorithm.EC_SECP384R1, }); Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', { @@ -138,7 +138,7 @@ describe('Key Algorithm', () => { domainName: 'test.example.com', certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA', 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'), - keyAlgorithm: new KeyAlgorithm("any value"), + keyAlgorithm: new KeyAlgorithm('any value'), }); Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', { From 291550dba125f1c9ac277cfc50271d57ab604365 Mon Sep 17 00:00:00 2001 From: longtv2222 Date: Sat, 6 Jan 2024 15:49:12 -0700 Subject: [PATCH 05/13] feat: add key algorithm to certificate --- .../aws-certificatemanager/lib/certificate.ts | 8 ++++ .../test/certificate.test.ts | 42 ++++++++++++++++++- 2 files changed, 49 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts index 607d1afb588de..e031609e9fdac 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts @@ -101,6 +101,13 @@ export interface CertificateProps { * @default the full, absolute path of this construct */ readonly certificateName?: string + + /** + * Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. + * + * @default KeyAlgorithm.RSA_2048 + */ + readonly keyAlgorithm?: KeyAlgorithm; } /** @@ -289,6 +296,7 @@ export class Certificate extends CertificateBase implements ICertificate { domainValidationOptions: renderDomainValidation(validation, allDomainNames), validationMethod: validation.method, certificateTransparencyLoggingPreference, + keyAlgorithm: props.keyAlgorithm?.name, }); Tags.of(cert).add(NAME_TAG, props.certificateName || this.node.path.slice(0, 255)); diff --git a/packages/aws-cdk-lib/aws-certificatemanager/test/certificate.test.ts b/packages/aws-cdk-lib/aws-certificatemanager/test/certificate.test.ts index 6e383f30bb418..815661ef623fb 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/test/certificate.test.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/test/certificate.test.ts @@ -1,7 +1,7 @@ import { Template, Match } from '../../assertions'; import * as route53 from '../../aws-route53'; import { Aws, Duration, Lazy, Stack } from '../../core'; -import { Certificate, CertificateValidation } from '../lib'; +import { Certificate, CertificateValidation, KeyAlgorithm } from '../lib'; test('apex domain selection by default', () => { const stack = new Stack(); @@ -441,3 +441,43 @@ function hasTags(expectedTags: Array<{Key: string, Value: string}>) { }, }; } + +describe('Key Algorithm', () => { + test('key algorithm is undefined if not provided', () => { + const stack = new Stack(); + + new Certificate(stack, 'Certificate', { + domainName: 'test.example.com', + }); + + Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', { + KeyAlgorithm: Match.absent(), + }); + }); + + test('Can specify algorithm', () => { + const stack = new Stack(); + + new Certificate(stack, 'Certificate', { + domainName: 'test.example.com', + keyAlgorithm: KeyAlgorithm.EC_SECP384R1, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', { + KeyAlgorithm: 'EC_secp384r1', + }); + }); + + test('Can specify any arbitrary algorithm', () => { + const stack = new Stack(); + + new Certificate(stack, 'Certificate', { + domainName: 'test.example.com', + keyAlgorithm: new KeyAlgorithm('any value'), + }); + + Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', { + KeyAlgorithm: 'any value', + }); + }); +}); From 4f597f92ff3d0677407729e9774c5005789674a8 Mon Sep 17 00:00:00 2001 From: longtv2222 Date: Sun, 7 Jan 2024 09:04:12 -0700 Subject: [PATCH 06/13] test: add integration tests --- .../test/integ.certificate-key-algorithm.ts | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts new file mode 100644 index 0000000000000..c28019d17e4d1 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts @@ -0,0 +1,50 @@ +import { PublicHostedZone } from 'aws-cdk-lib/aws-route53'; +import { App, Stack } from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import { Certificate, CertificateValidation, KeyAlgorithm } from 'aws-cdk-lib/aws-certificatemanager'; + +/** + * In order to test this you need + * to have a valid public hosted zone that you can use + * to request certificates for. + * +*/ +const hostedZoneId = process.env.CDK_INTEG_HOSTED_ZONE_ID ?? process.env.HOSTED_ZONE_ID; +if (!hostedZoneId) throw new Error('For this test you must provide your own HostedZoneId as an env var "HOSTED_ZONE_ID". See framework-integ/README.md for details.'); +const hostedZoneName = process.env.CDK_INTEG_HOSTED_ZONE_NAME ?? process.env.HOSTED_ZONE_NAME; +if (!hostedZoneName) throw new Error('For this test you must provide your own HostedZoneName as an env var "HOSTED_ZONE_NAME". See framework-integ/README.md for details.'); +const domainName = process.env.CDK_INTEG_DOMAIN_NAME ?? process.env.DOMAIN_NAME; +if (!domainName) throw new Error('For this test you must provide your own DomainName as an env var "DOMAIN_NAME". See framework-integ/README.md for details.'); + +const app = new App(); +const stack = new Stack(app, 'integ-certificate-name'); +const hostedZone = PublicHostedZone.fromHostedZoneAttributes(stack, 'HostedZone', { + hostedZoneId, + zoneName: hostedZoneName, +}); + +const validation = CertificateValidation.fromDns(hostedZone); + +new Certificate(stack, 'EC_prime256v1', { + domainName, + keyAlgorithm: KeyAlgorithm.EC_PRIME256V1, + validation, +}); + +new Certificate(stack, 'EC_secp384r1', { + domainName, + keyAlgorithm: KeyAlgorithm.EC_SECP384R1, + validation, +}); + +new Certificate(stack, 'RSA_2048', { + domainName, + keyAlgorithm: KeyAlgorithm.RSA_2048, + validation, +}); + +new IntegTest(app, 'integ-test', { + testCases: [stack], + diffAssets: true, + enableLookups: true, +}); \ No newline at end of file From cf27f433ad50079ac0ec4b8624dfb17b3248ce62 Mon Sep 17 00:00:00 2001 From: longtv2222 Date: Sun, 7 Jan 2024 09:06:27 -0700 Subject: [PATCH 07/13] fix: add missing integration test results --- .../cdk.out | 1 + .../integ-certificate-name.assets.json | 19 ++ .../integ-certificate-name.template.json | 98 ++++++++ .../integ.json | 14 ++ ...efaultTestDeployAssert24D5C536.assets.json | 19 ++ ...aultTestDeployAssert24D5C536.template.json | 36 +++ .../manifest.json | 125 ++++++++++ .../tree.json | 223 ++++++++++++++++++ 8 files changed, 535 insertions(+) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/tree.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.assets.json new file mode 100644 index 0000000000000..7670d9a576cf4 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "6fdb447388a8554d80b6aec0b245e7feebef3f5ac6459d71239ebbd1efb9621b": { + "source": { + "path": "integ-certificate-name.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "6fdb447388a8554d80b6aec0b245e7feebef3f5ac6459d71239ebbd1efb9621b.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.template.json new file mode 100644 index 0000000000000..65fcd76adac4a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.template.json @@ -0,0 +1,98 @@ +{ + "Resources": { + "ECprime256v1A2C983CE": { + "Type": "AWS::CertificateManager::Certificate", + "Properties": { + "DomainName": "*.example.com", + "DomainValidationOptions": [ + { + "DomainName": "*.example.com", + "HostedZoneId": "Z23ABC4XYZL05B" + } + ], + "KeyAlgorithm": "EC_prime256v1", + "Tags": [ + { + "Key": "Name", + "Value": "integ-certificate-name/EC_prime256v1" + } + ], + "ValidationMethod": "DNS" + } + }, + "ECsecp384r16CA95ECC": { + "Type": "AWS::CertificateManager::Certificate", + "Properties": { + "DomainName": "*.example.com", + "DomainValidationOptions": [ + { + "DomainName": "*.example.com", + "HostedZoneId": "Z23ABC4XYZL05B" + } + ], + "KeyAlgorithm": "EC_secp384r1", + "Tags": [ + { + "Key": "Name", + "Value": "integ-certificate-name/EC_secp384r1" + } + ], + "ValidationMethod": "DNS" + } + }, + "RSA2048CD164E12": { + "Type": "AWS::CertificateManager::Certificate", + "Properties": { + "DomainName": "*.example.com", + "DomainValidationOptions": [ + { + "DomainName": "*.example.com", + "HostedZoneId": "Z23ABC4XYZL05B" + } + ], + "KeyAlgorithm": "RSA_2048", + "Tags": [ + { + "Key": "Name", + "Value": "integ-certificate-name/RSA_2048" + } + ], + "ValidationMethod": "DNS" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ.json new file mode 100644 index 0000000000000..cc8adfcad5fca --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ.json @@ -0,0 +1,14 @@ +{ + "enableLookups": true, + "version": "36.0.0", + "testCases": { + "integ-test/DefaultTest": { + "stacks": [ + "integ-certificate-name" + ], + "diffAssets": true, + "assertionStack": "integ-test/DefaultTest/DeployAssert", + "assertionStackName": "integtestDefaultTestDeployAssert24D5C536" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json new file mode 100644 index 0000000000000..3555eb95abb24 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "integtestDefaultTestDeployAssert24D5C536.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/manifest.json new file mode 100644 index 0000000000000..b034a9264a76e --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/manifest.json @@ -0,0 +1,125 @@ +{ + "version": "36.0.0", + "artifacts": { + "integ-certificate-name.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integ-certificate-name.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integ-certificate-name": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integ-certificate-name.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/6fdb447388a8554d80b6aec0b245e7feebef3f5ac6459d71239ebbd1efb9621b.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integ-certificate-name.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integ-certificate-name.assets" + ], + "metadata": { + "/integ-certificate-name/EC_prime256v1/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ECprime256v1A2C983CE" + } + ], + "/integ-certificate-name/EC_secp384r1/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ECsecp384r16CA95ECC" + } + ], + "/integ-certificate-name/RSA_2048/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "RSA2048CD164E12" + } + ], + "/integ-certificate-name/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-certificate-name/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-certificate-name" + }, + "integtestDefaultTestDeployAssert24D5C536.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integtestDefaultTestDeployAssert24D5C536.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integtestDefaultTestDeployAssert24D5C536": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integtestDefaultTestDeployAssert24D5C536.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integtestDefaultTestDeployAssert24D5C536.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integtestDefaultTestDeployAssert24D5C536.assets" + ], + "metadata": { + "/integ-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/tree.json new file mode 100644 index 0000000000000..b09299ab53c6b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/tree.json @@ -0,0 +1,223 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "integ-certificate-name": { + "id": "integ-certificate-name", + "path": "integ-certificate-name", + "children": { + "HostedZone": { + "id": "HostedZone", + "path": "integ-certificate-name/HostedZone", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "2.118.0" + } + }, + "EC_prime256v1": { + "id": "EC_prime256v1", + "path": "integ-certificate-name/EC_prime256v1", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-certificate-name/EC_prime256v1/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::CertificateManager::Certificate", + "aws:cdk:cloudformation:props": { + "domainName": "*.example.com", + "domainValidationOptions": [ + { + "domainName": "*.example.com", + "hostedZoneId": "Z23ABC4XYZL05B" + } + ], + "keyAlgorithm": "EC_prime256v1", + "tags": [ + { + "key": "Name", + "value": "integ-certificate-name/EC_prime256v1" + } + ], + "validationMethod": "DNS" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_certificatemanager.CfnCertificate", + "version": "2.118.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "2.118.0" + } + }, + "EC_secp384r1": { + "id": "EC_secp384r1", + "path": "integ-certificate-name/EC_secp384r1", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-certificate-name/EC_secp384r1/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::CertificateManager::Certificate", + "aws:cdk:cloudformation:props": { + "domainName": "*.example.com", + "domainValidationOptions": [ + { + "domainName": "*.example.com", + "hostedZoneId": "Z23ABC4XYZL05B" + } + ], + "keyAlgorithm": "EC_secp384r1", + "tags": [ + { + "key": "Name", + "value": "integ-certificate-name/EC_secp384r1" + } + ], + "validationMethod": "DNS" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_certificatemanager.CfnCertificate", + "version": "2.118.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "2.118.0" + } + }, + "RSA_2048": { + "id": "RSA_2048", + "path": "integ-certificate-name/RSA_2048", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-certificate-name/RSA_2048/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::CertificateManager::Certificate", + "aws:cdk:cloudformation:props": { + "domainName": "*.example.com", + "domainValidationOptions": [ + { + "domainName": "*.example.com", + "hostedZoneId": "Z23ABC4XYZL05B" + } + ], + "keyAlgorithm": "RSA_2048", + "tags": [ + { + "key": "Name", + "value": "integ-certificate-name/RSA_2048" + } + ], + "validationMethod": "DNS" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_certificatemanager.CfnCertificate", + "version": "2.118.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "2.118.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-certificate-name/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "2.118.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-certificate-name/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "2.118.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "2.118.0" + } + }, + "integ-test": { + "id": "integ-test", + "path": "integ-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "integ-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "integ-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "integ-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "2.118.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "2.118.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "2.118.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "2.118.0-alpha.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "2.118.0-alpha.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "2.118.0" + } + } +} \ No newline at end of file From 773ea5a0904ef8c3831e7902e66e3dc49b20c07c Mon Sep 17 00:00:00 2001 From: longtv2222 Date: Sun, 7 Jan 2024 09:32:14 -0700 Subject: [PATCH 08/13] fix: lint and added Annotation for unused keyAlgorithm props in --- .../test/integ.certificate-key-algorithm.ts | 2 +- .../aws-certificatemanager/lib/dns-validated-certificate.ts | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts index c28019d17e4d1..5265140c5f604 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts @@ -4,7 +4,7 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; import { Certificate, CertificateValidation, KeyAlgorithm } from 'aws-cdk-lib/aws-certificatemanager'; /** - * In order to test this you need + * In order to test this you need * to have a valid public hosted zone that you can use * to request certificates for. * diff --git a/packages/aws-cdk-lib/aws-certificatemanager/lib/dns-validated-certificate.ts b/packages/aws-cdk-lib/aws-certificatemanager/lib/dns-validated-certificate.ts index b3167087ae9d6..0e643d3753d07 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/lib/dns-validated-certificate.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/lib/dns-validated-certificate.ts @@ -85,6 +85,11 @@ export class DnsValidatedCertificate extends CertificateBase implements ICertifi constructor(scope: Construct, id: string, props: DnsValidatedCertificateProps) { super(scope, id); + if (props.keyAlgorithm) + cdk.Annotations.of(this) + .addWarningV2("@aws-cdk/aws-certificatemanager:keyAlgorithmIgnored", + "keyAlgorithm is ignored for DnsValidatedCertificate construct."); + this.region = props.region; this.domainName = props.domainName; // check if domain name is 64 characters or less From 60bc56ef7a22fcb80fce0aa390b7c8254c0aa5e1 Mon Sep 17 00:00:00 2001 From: longtv2222 Date: Sun, 7 Jan 2024 09:43:13 -0700 Subject: [PATCH 09/13] fix: lint --- .../lib/dns-validated-certificate.ts | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/packages/aws-cdk-lib/aws-certificatemanager/lib/dns-validated-certificate.ts b/packages/aws-cdk-lib/aws-certificatemanager/lib/dns-validated-certificate.ts index 0e643d3753d07..49e0c5b8e7b91 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/lib/dns-validated-certificate.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/lib/dns-validated-certificate.ts @@ -85,10 +85,11 @@ export class DnsValidatedCertificate extends CertificateBase implements ICertifi constructor(scope: Construct, id: string, props: DnsValidatedCertificateProps) { super(scope, id); - if (props.keyAlgorithm) + if (props.keyAlgorithm) { cdk.Annotations.of(this) - .addWarningV2("@aws-cdk/aws-certificatemanager:keyAlgorithmIgnored", - "keyAlgorithm is ignored for DnsValidatedCertificate construct."); + .addWarningV2('@aws-cdk/aws-certificatemanager:keyAlgorithmIgnored', + 'keyAlgorithm is ignored for DnsValidatedCertificate construct.'); + } this.region = props.region; this.domainName = props.domainName; From 37e5b17204d42cf21548e1490c9a2fd96e5a9dd0 Mon Sep 17 00:00:00 2001 From: longtv2222 Date: Sun, 7 Jan 2024 11:13:18 -0700 Subject: [PATCH 10/13] fix: improve docs and rename integration tests stack name --- ...s.json => integ-key-algorithm.assets.json} | 6 ++-- ...json => integ-key-algorithm.template.json} | 6 ++-- .../integ.json | 2 +- .../manifest.json | 26 ++++++++-------- .../tree.json | 30 +++++++++---------- .../test/integ.certificate-key-algorithm.ts | 2 +- .../aws-certificatemanager/README.md | 18 +++++++++++ .../aws-certificatemanager/lib/certificate.ts | 2 ++ .../lib/private-certificate.ts | 3 ++ 9 files changed, 59 insertions(+), 36 deletions(-) rename packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/{integ-certificate-name.assets.json => integ-key-algorithm.assets.json} (66%) rename packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/{integ-certificate-name.template.json => integ-key-algorithm.template.json} (92%) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-key-algorithm.assets.json similarity index 66% rename from packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.assets.json rename to packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-key-algorithm.assets.json index 7670d9a576cf4..4843b48cdd9ff 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-key-algorithm.assets.json @@ -1,15 +1,15 @@ { "version": "36.0.0", "files": { - "6fdb447388a8554d80b6aec0b245e7feebef3f5ac6459d71239ebbd1efb9621b": { + "b3c50c4e8378ff7782ea37244e92308e1c5724f88cbae2d1f9937061a00b454a": { "source": { - "path": "integ-certificate-name.template.json", + "path": "integ-key-algorithm.template.json", "packaging": "file" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "6fdb447388a8554d80b6aec0b245e7feebef3f5ac6459d71239ebbd1efb9621b.json", + "objectKey": "b3c50c4e8378ff7782ea37244e92308e1c5724f88cbae2d1f9937061a00b454a.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-key-algorithm.template.json similarity index 92% rename from packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.template.json rename to packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-key-algorithm.template.json index 65fcd76adac4a..5b4005d39a339 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-name.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-key-algorithm.template.json @@ -14,7 +14,7 @@ "Tags": [ { "Key": "Name", - "Value": "integ-certificate-name/EC_prime256v1" + "Value": "integ-key-algorithm/EC_prime256v1" } ], "ValidationMethod": "DNS" @@ -34,7 +34,7 @@ "Tags": [ { "Key": "Name", - "Value": "integ-certificate-name/EC_secp384r1" + "Value": "integ-key-algorithm/EC_secp384r1" } ], "ValidationMethod": "DNS" @@ -54,7 +54,7 @@ "Tags": [ { "Key": "Name", - "Value": "integ-certificate-name/RSA_2048" + "Value": "integ-key-algorithm/RSA_2048" } ], "ValidationMethod": "DNS" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ.json index cc8adfcad5fca..b5aec2f6f623f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ.json @@ -4,7 +4,7 @@ "testCases": { "integ-test/DefaultTest": { "stacks": [ - "integ-certificate-name" + "integ-key-algorithm" ], "diffAssets": true, "assertionStack": "integ-test/DefaultTest/DeployAssert", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/manifest.json index b034a9264a76e..525ce220fc4af 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/manifest.json @@ -1,28 +1,28 @@ { "version": "36.0.0", "artifacts": { - "integ-certificate-name.assets": { + "integ-key-algorithm.assets": { "type": "cdk:asset-manifest", "properties": { - "file": "integ-certificate-name.assets.json", + "file": "integ-key-algorithm.assets.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" } }, - "integ-certificate-name": { + "integ-key-algorithm": { "type": "aws:cloudformation:stack", "environment": "aws://unknown-account/unknown-region", "properties": { - "templateFile": "integ-certificate-name.template.json", + "templateFile": "integ-key-algorithm.template.json", "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/6fdb447388a8554d80b6aec0b245e7feebef3f5ac6459d71239ebbd1efb9621b.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b3c50c4e8378ff7782ea37244e92308e1c5724f88cbae2d1f9937061a00b454a.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ - "integ-certificate-name.assets" + "integ-key-algorithm.assets" ], "lookupRole": { "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", @@ -31,41 +31,41 @@ } }, "dependencies": [ - "integ-certificate-name.assets" + "integ-key-algorithm.assets" ], "metadata": { - "/integ-certificate-name/EC_prime256v1/Resource": [ + "/integ-key-algorithm/EC_prime256v1/Resource": [ { "type": "aws:cdk:logicalId", "data": "ECprime256v1A2C983CE" } ], - "/integ-certificate-name/EC_secp384r1/Resource": [ + "/integ-key-algorithm/EC_secp384r1/Resource": [ { "type": "aws:cdk:logicalId", "data": "ECsecp384r16CA95ECC" } ], - "/integ-certificate-name/RSA_2048/Resource": [ + "/integ-key-algorithm/RSA_2048/Resource": [ { "type": "aws:cdk:logicalId", "data": "RSA2048CD164E12" } ], - "/integ-certificate-name/BootstrapVersion": [ + "/integ-key-algorithm/BootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "BootstrapVersion" } ], - "/integ-certificate-name/CheckBootstrapVersion": [ + "/integ-key-algorithm/CheckBootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } ] }, - "displayName": "integ-certificate-name" + "displayName": "integ-key-algorithm" }, "integtestDefaultTestDeployAssert24D5C536.assets": { "type": "cdk:asset-manifest", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/tree.json index b09299ab53c6b..1ab152c1381db 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/tree.json @@ -4,13 +4,13 @@ "id": "App", "path": "", "children": { - "integ-certificate-name": { - "id": "integ-certificate-name", - "path": "integ-certificate-name", + "integ-key-algorithm": { + "id": "integ-key-algorithm", + "path": "integ-key-algorithm", "children": { "HostedZone": { "id": "HostedZone", - "path": "integ-certificate-name/HostedZone", + "path": "integ-key-algorithm/HostedZone", "constructInfo": { "fqn": "aws-cdk-lib.Resource", "version": "2.118.0" @@ -18,11 +18,11 @@ }, "EC_prime256v1": { "id": "EC_prime256v1", - "path": "integ-certificate-name/EC_prime256v1", + "path": "integ-key-algorithm/EC_prime256v1", "children": { "Resource": { "id": "Resource", - "path": "integ-certificate-name/EC_prime256v1/Resource", + "path": "integ-key-algorithm/EC_prime256v1/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::CertificateManager::Certificate", "aws:cdk:cloudformation:props": { @@ -37,7 +37,7 @@ "tags": [ { "key": "Name", - "value": "integ-certificate-name/EC_prime256v1" + "value": "integ-key-algorithm/EC_prime256v1" } ], "validationMethod": "DNS" @@ -56,11 +56,11 @@ }, "EC_secp384r1": { "id": "EC_secp384r1", - "path": "integ-certificate-name/EC_secp384r1", + "path": "integ-key-algorithm/EC_secp384r1", "children": { "Resource": { "id": "Resource", - "path": "integ-certificate-name/EC_secp384r1/Resource", + "path": "integ-key-algorithm/EC_secp384r1/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::CertificateManager::Certificate", "aws:cdk:cloudformation:props": { @@ -75,7 +75,7 @@ "tags": [ { "key": "Name", - "value": "integ-certificate-name/EC_secp384r1" + "value": "integ-key-algorithm/EC_secp384r1" } ], "validationMethod": "DNS" @@ -94,11 +94,11 @@ }, "RSA_2048": { "id": "RSA_2048", - "path": "integ-certificate-name/RSA_2048", + "path": "integ-key-algorithm/RSA_2048", "children": { "Resource": { "id": "Resource", - "path": "integ-certificate-name/RSA_2048/Resource", + "path": "integ-key-algorithm/RSA_2048/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::CertificateManager::Certificate", "aws:cdk:cloudformation:props": { @@ -113,7 +113,7 @@ "tags": [ { "key": "Name", - "value": "integ-certificate-name/RSA_2048" + "value": "integ-key-algorithm/RSA_2048" } ], "validationMethod": "DNS" @@ -132,7 +132,7 @@ }, "BootstrapVersion": { "id": "BootstrapVersion", - "path": "integ-certificate-name/BootstrapVersion", + "path": "integ-key-algorithm/BootstrapVersion", "constructInfo": { "fqn": "aws-cdk-lib.CfnParameter", "version": "2.118.0" @@ -140,7 +140,7 @@ }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", - "path": "integ-certificate-name/CheckBootstrapVersion", + "path": "integ-key-algorithm/CheckBootstrapVersion", "constructInfo": { "fqn": "aws-cdk-lib.CfnRule", "version": "2.118.0" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts index 5265140c5f604..a928377ebcfba 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts @@ -17,7 +17,7 @@ const domainName = process.env.CDK_INTEG_DOMAIN_NAME ?? process.env.DOMAIN_NAME; if (!domainName) throw new Error('For this test you must provide your own DomainName as an env var "DOMAIN_NAME". See framework-integ/README.md for details.'); const app = new App(); -const stack = new Stack(app, 'integ-certificate-name'); +const stack = new Stack(app, 'integ-key-algorithm'); const hostedZone = PublicHostedZone.fromHostedZoneAttributes(stack, 'HostedZone', { hostedZoneId, zoneName: hostedZoneName, diff --git a/packages/aws-cdk-lib/aws-certificatemanager/README.md b/packages/aws-cdk-lib/aws-certificatemanager/README.md index e088b52e186fb..5ea22c202259f 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/README.md +++ b/packages/aws-cdk-lib/aws-certificatemanager/README.md @@ -157,6 +157,24 @@ new acm.Certificate(this, 'Certificate', { }); ``` +## Key Algorithms + +To specify the algorithm of the public and private key pair that your certificate uses to encrypt data use the `keyAlgorithm` property. + +Algorithms supported for an ACM certificate request include: + * `RSA_2048` + * `EC_prime256v1` + * `EC_secp384r1` + +```ts +new acm.Certificate(this, 'Certificate', { + domainName: 'test.example.com', + keyAlgorithm: acm.KeyAlgorithm.EC_PRIME256V1, +}); +``` + +> Visit [Key algorithms](https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms.title) for more details. + ## Importing If you want to import an existing certificate, you can do so from its ARN: diff --git a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts index e031609e9fdac..9b444e3243ad2 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts @@ -105,6 +105,8 @@ export interface CertificateProps { /** * Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. * + * @see https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms.title + * * @default KeyAlgorithm.RSA_2048 */ readonly keyAlgorithm?: KeyAlgorithm; diff --git a/packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts b/packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts index dc518f5d9e7d6..bd48a8772eccb 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts @@ -32,6 +32,9 @@ export interface PrivateCertificateProps { /** * Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. * + * When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family + * (RSA or ECDSA) must match the algorithm family of the CA's secret key. + * * @default KeyAlgorithm.RSA_2048 */ readonly keyAlgorithm?: KeyAlgorithm; From ed9a6852db01328746985c351692c51892685289 Mon Sep 17 00:00:00 2001 From: longtv2222 Date: Sun, 7 Jan 2024 11:17:36 -0700 Subject: [PATCH 11/13] fix: missing docs for private certificate --- .../aws-certificatemanager/lib/private-certificate.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts b/packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts index bd48a8772eccb..dd5696102c791 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts @@ -35,6 +35,8 @@ export interface PrivateCertificateProps { * When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family * (RSA or ECDSA) must match the algorithm family of the CA's secret key. * + * @see https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms.title + * * @default KeyAlgorithm.RSA_2048 */ readonly keyAlgorithm?: KeyAlgorithm; From 65fe4fb66280ae42fa9a601c775517ec2b949646 Mon Sep 17 00:00:00 2001 From: longtv2222 Date: Sun, 7 Jan 2024 11:51:20 -0700 Subject: [PATCH 12/13] docs: add link for --- packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts index 9b444e3243ad2..db8cd1f783797 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts @@ -117,6 +117,8 @@ export interface CertificateProps { * * If you need to use an algorithm that doesn't exist as a static member, you * can instantiate a `KeyAlgorithm` object, e.g: `new KeyAlgorithm('RSA_2048')`. + * + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html#cfn-certificatemanager-certificate-keyalgorithm */ export class KeyAlgorithm { /** From ef150087c06b700eea19612738be6a3d5fa7b460 Mon Sep 17 00:00:00 2001 From: Kaizen Conroy <36202692+kaizencc@users.noreply.github.com> Date: Tue, 9 Jan 2024 11:22:03 -0500 Subject: [PATCH 13/13] Update packages/aws-cdk-lib/aws-certificatemanager/README.md --- packages/aws-cdk-lib/aws-certificatemanager/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-certificatemanager/README.md b/packages/aws-cdk-lib/aws-certificatemanager/README.md index 5ea22c202259f..8aa9a9467fc66 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/README.md +++ b/packages/aws-cdk-lib/aws-certificatemanager/README.md @@ -142,7 +142,7 @@ new acm.PrivateCertificate(this, 'PrivateCertificate', { subjectAlternativeNames: ['cool.example.com', 'test.example.net'], // optional certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(this, 'CA', 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'), - keyAlgorithm: acm.KeyAlgorithm.RSA_2048 // optional, default algorithm is RSA_2048 + keyAlgorithm: acm.KeyAlgorithm.RSA_2048, // optional, default algorithm is RSA_2048 }); ```