@trautonen/cdk-dns-validated-certificate 0.0.2 → 0.0.4

package/.gitattributes

@@ -22,4 +22,5 @@
 /LICENSE linguist-generated
 /package-lock.json linguist-generated
 /package.json linguist-generated
+/src/certificate-requestor-function.ts linguist-generated
 /tsconfig.dev.json linguist-generated

package/.jsii

@@ -3515,7 +3515,7 @@
         },
         "locationInModule": {
           "filename": "src/dns-validated-certificate.ts",
-          "line": 181
+          "line": 180
         },
         "parameters": [
           {
@@ -3554,7 +3554,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "src/dns-validated-certificate.ts",
-        "line": 152
+        "line": 151
       },
       "methods": [
         {
@@ -3565,7 +3565,7 @@
           },
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 285
+            "line": 282
           },
           "name": "applyRemovalPolicy",
           "overrides": "aws-cdk-lib.Resource",
@@ -3586,7 +3586,7 @@
           },
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 273
+            "line": 270
           },
           "name": "metricDaysToExpiry",
           "overrides": "aws-cdk-lib.aws_certificatemanager.ICertificate",
@@ -3616,7 +3616,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 154
+            "line": 153
           },
           "name": "certificateArn",
           "overrides": "aws-cdk-lib.aws_certificatemanager.ICertificate",
@@ -3632,7 +3632,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 157
+            "line": 156
           },
           "name": "certificateRegion",
           "type": {
@@ -3647,7 +3647,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 166
+            "line": 165
           },
           "name": "domainName",
           "type": {
@@ -3662,7 +3662,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 160
+            "line": 159
           },
           "name": "hostedZoneId",
           "type": {
@@ -3677,7 +3677,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 163
+            "line": 162
           },
           "name": "hostedZoneName",
           "type": {
@@ -3692,7 +3692,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 169
+            "line": 168
           },
           "name": "tags",
           "overrides": "aws-cdk-lib.ITaggable",
@@ -3713,7 +3713,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/dns-validated-certificate.ts",
-        "line": 13
+        "line": 12
       },
       "name": "DnsValidatedCertificateProps",
       "properties": [
@@ -3727,7 +3727,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 19
+            "line": 18
           },
           "name": "domainName",
           "type": {
@@ -3744,7 +3744,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 27
+            "line": 26
           },
           "name": "hostedZone",
           "type": {
@@ -3762,7 +3762,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 37
+            "line": 36
           },
           "name": "certificateRegion",
           "optional": true,
@@ -3781,7 +3781,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 81
+            "line": 80
           },
           "name": "cleanupValidationRecords",
           "optional": true,
@@ -3800,7 +3800,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 48
+            "line": 47
           },
           "name": "customResourceRole",
           "optional": true,
@@ -3819,7 +3819,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 106
+            "line": 105
           },
           "name": "removalPolicy",
           "optional": true,
@@ -3839,7 +3839,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 93
+            "line": 92
           },
           "name": "transparencyLoggingEnabled",
           "optional": true,
@@ -3858,7 +3858,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 69
+            "line": 68
           },
           "name": "validationExternalId",
           "optional": true,
@@ -3877,7 +3877,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/dns-validated-certificate.ts",
-            "line": 60
+            "line": 59
           },
           "name": "validationRole",
           "optional": true,
@@ -3889,6 +3889,6 @@
       "symbolId": "src/dns-validated-certificate:DnsValidatedCertificateProps"
     }
   },
-  "version": "0.0.2",
-  "fingerprint": "0YmErv+JlvcbPpHH8WXQhUgUxY+AN4irXPqxQZJ3tFI="
+  "version": "0.0.4",
+  "fingerprint": "9isTWJXuM6/JDWdtr/eWOBbNTViUHK0oLHtxzz9I3Y0="
 }

package/.prettierignore

@@ -1 +1,2 @@
 # ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen".
+src/certificate-requestor-function.ts

package/.projenrc.ts

@@ -1,4 +1,5 @@
 import { awscdk } from 'projen'
+import { LambdaRuntime } from 'projen/lib/awscdk'
 import { NodePackageManager, NpmAccess, ProseWrap } from 'projen/lib/javascript'
 
 const awsSdkVersion = '^3.0.0'
@@ -20,6 +21,14 @@ const project = new awscdk.AwsCdkConstructLibrary({
   releaseToNpm: true,
   npmAccess: NpmAccess.PUBLIC,
 
+  lambdaOptions: {
+    runtime: LambdaRuntime.NODEJS_18_X,
+    bundlingOptions: {
+      externals: ['@aws-sdk/*'],
+      sourcemap: true,
+    },
+  },
+
   packageManager: NodePackageManager.NPM,
   prettier: true,
   prettierOptions: {
@@ -43,7 +52,7 @@ const project = new awscdk.AwsCdkConstructLibrary({
 })
 
 project.eslint?.addRules({
-  'import/no-extraneous-dependencies': ['error', { devDependencies: ['src/lambda/**/*.ts'] }],
+  'import/no-extraneous-dependencies': ['error', { devDependencies: ['src/**/*.lambda.ts'] }],
 })
 
 project.synth()

package/assets/certificate-requestor.lambda/index.js

@@ -0,0 +1,283 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/certificate-requestor.lambda.ts
+var certificate_requestor_lambda_exports = {};
+__export(certificate_requestor_lambda_exports, {
+  handler: () => handler
+});
+module.exports = __toCommonJS(certificate_requestor_lambda_exports);
+var crypto = __toESM(require("crypto"));
+var import_client_acm = require("@aws-sdk/client-acm");
+var import_client_route_53 = require("@aws-sdk/client-route-53");
+var import_client_sts = require("@aws-sdk/client-sts");
+var sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+var containsSame = (array1, array2) => {
+  if (array1.length !== array2.length)
+    return false;
+  return array1.every((v1) => array2.includes(v1));
+};
+var tryFor = async (maxSeconds, timeoutError, fn) => {
+  const startTime = Date.now();
+  for (let i = 0; true; i++) {
+    if (Date.now() > startTime + maxSeconds * 1e3) {
+      throw new Error(timeoutError);
+    }
+    const result = await fn();
+    if (result !== null) {
+      return result;
+    }
+    const base = Math.pow(2, i);
+    await sleep(Math.random() * base * 50 + base * 150);
+  }
+};
+var parseProperties = (properties) => {
+  return properties;
+};
+var parseDomainValidationRecords = (certificate) => {
+  const options = certificate.DomainValidationOptions ?? [];
+  console.log("options: ", options);
+  if (options.length > 0 && options.every((opt) => opt.ResourceRecord?.Name)) {
+    const uniqueRecords = [...new Map(options.map((opt) => [opt.ResourceRecord?.Name, opt.ResourceRecord])).values()];
+    return uniqueRecords.map((record) => {
+      return {
+        Name: record.Name,
+        Type: record.Type,
+        TTL: 30,
+        ResourceRecords: [
+          {
+            Value: record.Value
+          }
+        ]
+      };
+    });
+  }
+  return null;
+};
+var changeRecordSets = async (route53, action, records, hostedZoneId) => {
+  const changeRecordSetsInput = {
+    HostedZoneId: hostedZoneId,
+    ChangeBatch: {
+      Changes: records.map((record) => ({
+        Action: action,
+        ResourceRecordSet: record
+      }))
+    }
+  };
+  const { ChangeInfo } = await route53.send(new import_client_route_53.ChangeResourceRecordSetsCommand(changeRecordSetsInput));
+  const result = await (0, import_client_route_53.waitUntilResourceRecordSetsChanged)({ client: route53, maxWaitTime: 180 }, { Id: ChangeInfo?.Id });
+  if (result.state !== "SUCCESS") {
+    throw new Error(
+      `Record sets never changed for hosted zone ${hostedZoneId}: [${result.state}] ${result.reason ?? ""}`
+    );
+  }
+  return ChangeInfo?.Id;
+};
+var requestCertificate = async (acm, route53, requestId, properties) => {
+  const { HostedZoneId, DomainName, SubjectAlternativeNames, TransparencyLoggingEnabled } = properties;
+  console.log(`Requesting certificate for ${DomainName}`);
+  const requestCertificateInput = {
+    DomainName,
+    SubjectAlternativeNames,
+    IdempotencyToken: crypto.createHash("sha256").update(requestId).digest("hex").slice(0, 32),
+    ValidationMethod: "DNS",
+    Options: {
+      CertificateTransparencyLoggingPreference: TransparencyLoggingEnabled ? "ENABLED" : "DISABLED"
+    }
+  };
+  const { CertificateArn } = await acm.send(new import_client_acm.RequestCertificateCommand(requestCertificateInput));
+  console.log(`Certificate ${CertificateArn} requested`);
+  const validationMaxSeconds = 180;
+  const validationTimeoutError = `Domain validation options were not found in ${validationMaxSeconds} seconds`;
+  const validationRecords = await tryFor(validationMaxSeconds, validationTimeoutError, async () => {
+    const describeCertificateInput = {
+      CertificateArn
+    };
+    const { Certificate } = await acm.send(new import_client_acm.DescribeCertificateCommand(describeCertificateInput));
+    return parseDomainValidationRecords(Certificate);
+  });
+  console.log(`Upserting ${validationRecords.length} validation record(s) into hosted zone ${HostedZoneId}:`);
+  validationRecords.forEach(
+    (record) => console.log(`${record.Name} ${record.Type} ${record.ResourceRecords?.map((rr) => rr.Value).join(",")}`)
+  );
+  const changeId = await changeRecordSets(route53, "UPSERT", validationRecords, HostedZoneId);
+  console.log(`All validation records changed succesfully for change id ${changeId}`);
+  console.log(`Waiting for certificate ${CertificateArn} to validate`);
+  const result = await (0, import_client_acm.waitUntilCertificateValidated)({ client: acm, maxWaitTime: 300 }, { CertificateArn });
+  if (result.state !== "SUCCESS") {
+    throw new Error(`Certificate failed ${CertificateArn} to validate: [${result.state}] ${result.reason ?? ""}`);
+  }
+  console.log(`Certificate ${CertificateArn} successfully validated`);
+  return CertificateArn;
+};
+var deleteCertificate = async (acm, route53, certificateArn, hostedZoneId, cleanupValidationRecords) => {
+  console.log(`Waiting for certificate ${certificateArn} usage to drain before deletion`);
+  const waitUsageMaxSeconds = 600;
+  const waitUsageTimeoutError = `Certificate was still in use after ${waitUsageMaxSeconds} seconds`;
+  const certificate = await tryFor(waitUsageMaxSeconds, waitUsageTimeoutError, async () => {
+    const describeCertificateInput = {
+      CertificateArn: certificateArn
+    };
+    const { Certificate } = await acm.send(new import_client_acm.DescribeCertificateCommand(describeCertificateInput));
+    const inUseBy = Certificate?.InUseBy ?? [];
+    if (inUseBy.length > 0) {
+      return null;
+    }
+    return Certificate;
+  });
+  console.log("Certificate is unused and will be deleted");
+  const validationRecords = parseDomainValidationRecords(certificate);
+  if (validationRecords && cleanupValidationRecords) {
+    console.log(`Deleting ${validationRecords.length} validation record(s) from hosted zone ${hostedZoneId}`);
+    try {
+      const changeId = await changeRecordSets(route53, "DELETE", validationRecords, hostedZoneId);
+      console.log(`All validation records removed successfully for change id ${changeId}`);
+    } catch (error) {
+      if (error instanceof import_client_route_53.InvalidChangeBatch && error.message.includes("not found")) {
+        console.log(`All validation records have already been removed by some other certificate`);
+      } else {
+        throw error;
+      }
+    }
+  }
+  console.log(`Deleting certificate ${certificateArn}`);
+  const deleteCertificateInput = {
+    CertificateArn: certificateArn
+  };
+  await acm.send(new import_client_acm.DeleteCertificateCommand(deleteCertificateInput));
+  console.log(`Certificate ${certificateArn} successfully deleted`);
+};
+var addTags = async (acm, certificateArn, tags) => {
+  const tagList = Array.from(Object.entries(tags).map(([Key, Value]) => ({ Key, Value })));
+  const addTagsInput = {
+    CertificateArn: certificateArn,
+    Tags: tagList
+  };
+  console.log(`Adding ${tagList.length} tags to certificate ${certificateArn}`);
+  await acm.send(new import_client_acm.AddTagsToCertificateCommand(addTagsInput));
+  console.log(`All tags successfully added to certificate ${certificateArn}`);
+};
+var shouldRequestNew = (oldProperties, newProperties) => {
+  if (oldProperties.HostedZoneId !== newProperties.HostedZoneId)
+    return true;
+  if (oldProperties.DomainName !== newProperties.DomainName)
+    return true;
+  if (oldProperties.CertificateRegion !== newProperties.CertificateRegion)
+    return true;
+  if (!containsSame(oldProperties.SubjectAlternativeNames ?? [], newProperties.SubjectAlternativeNames ?? []))
+    return true;
+  if (oldProperties.CleanupValidationRecords !== newProperties.CleanupValidationRecords)
+    return true;
+  if (oldProperties.TransparencyLoggingEnabled !== newProperties.TransparencyLoggingEnabled)
+    return true;
+  if (oldProperties.RemovalPolicy !== newProperties.RemovalPolicy)
+    return true;
+  return false;
+};
+var assumeRole = (roleArn, externalId) => {
+  if (!roleArn) {
+    return void 0;
+  }
+  return async () => {
+    const sts = new import_client_sts.STSClient({ retryMode: "adaptive" });
+    const assumeRoleInput = {
+      RoleArn: roleArn,
+      RoleSessionName: "CertificateRequestor",
+      ExternalId: externalId
+    };
+    const { Credentials } = await sts.send(new import_client_sts.AssumeRoleCommand(assumeRoleInput));
+    return {
+      accessKeyId: Credentials?.AccessKeyId,
+      secretAccessKey: Credentials?.SecretAccessKey,
+      sessionToken: Credentials?.SessionToken,
+      expiration: Credentials?.Expiration
+    };
+  };
+};
+var handler = async (event) => {
+  const properties = parseProperties(event.ResourceProperties);
+  const acm = new import_client_acm.ACMClient({ region: properties.CertificateRegion, retryMode: "adaptive" });
+  const route53 = new import_client_route_53.Route53Client({
+    retryMode: "adaptive",
+    credentials: assumeRole(properties.ValidationRoleArn, properties.ValidationExternalId)
+  });
+  switch (event.RequestType) {
+    case "Create": {
+      const certificateArn = await requestCertificate(acm, route53, event.RequestId, properties);
+      if (properties.Tags && Object.entries(properties.Tags).length > 0) {
+        await addTags(acm, certificateArn, properties.Tags);
+      }
+      return {
+        PhysicalResourceId: certificateArn,
+        Data: {
+          Arn: certificateArn
+        }
+      };
+    }
+    case "Update": {
+      let certificateArn = event.PhysicalResourceId;
+      if (shouldRequestNew(parseProperties(event.OldResourceProperties), properties)) {
+        certificateArn = await requestCertificate(acm, route53, event.RequestId, properties);
+      }
+      if (properties.Tags && Object.entries(properties.Tags).length > 0) {
+        await addTags(acm, certificateArn, properties.Tags);
+      }
+      return {
+        PhysicalResourceId: certificateArn,
+        Data: {
+          Arn: certificateArn
+        }
+      };
+    }
+    case "Delete": {
+      const certificateArn = event.PhysicalResourceId;
+      if (properties.RemovalPolicy === "destroy") {
+        await deleteCertificate(
+          acm,
+          route53,
+          certificateArn,
+          properties.HostedZoneId,
+          properties.CleanupValidationRecords
+        );
+      }
+      return {
+        PhysicalResourceId: certificateArn,
+        Data: {
+          Arn: certificateArn
+        }
+      };
+    }
+  }
+  throw new Error(`Invalid request type`);
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  handler
+});
+//# sourceMappingURL=index.js.map

package/assets/certificate-requestor.lambda/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/certificate-requestor.lambda.ts"],
+  "sourcesContent": ["import * as crypto from 'crypto'\nimport {\n  ACMClient,\n  AddTagsToCertificateCommand,\n  AddTagsToCertificateCommandInput,\n  CertificateDetail,\n  DeleteCertificateCommand,\n  DeleteCertificateCommandInput,\n  DescribeCertificateCommand,\n  DescribeCertificateCommandInput,\n  RequestCertificateCommand,\n  RequestCertificateCommandInput,\n  waitUntilCertificateValidated,\n} from '@aws-sdk/client-acm'\nimport {\n  ChangeAction,\n  ChangeResourceRecordSetsCommand,\n  ChangeResourceRecordSetsCommandInput,\n  InvalidChangeBatch,\n  ResourceRecordSet,\n  Route53Client,\n  waitUntilResourceRecordSetsChanged,\n} from '@aws-sdk/client-route-53'\nimport { AssumeRoleCommand, AssumeRoleCommandInput, STSClient } from '@aws-sdk/client-sts'\nimport type { AwsCredentialIdentity, Provider } from '@aws-sdk/types'\nimport type { CloudFormationCustomResourceEvent } from 'aws-lambda'\n\nexport type Properties = {\n  HostedZoneId: string\n  DomainName: string\n  SubjectAlternativeNames?: string[]\n  CertificateRegion: string\n  ValidationRoleArn?: string\n  ValidationExternalId?: string\n  CleanupValidationRecords: boolean\n  TransparencyLoggingEnabled: boolean\n  Tags?: Record<string, string>\n  RemovalPolicy: string\n}\n\nconst sleep = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms))\n\nconst containsSame = <T>(array1: T[], array2: T[]): boolean => {\n  if (array1.length !== array2.length) return false\n  return array1.every((v1) => array2.includes(v1))\n}\n\nconst tryFor = async <T>(maxSeconds: number, timeoutError: string, fn: () => Promise<T | null>): Promise<T> => {\n  const startTime = Date.now()\n  // eslint-disable-next-line no-constant-condition\n  for (let i = 0; true; i++) {\n    if (Date.now() > startTime + maxSeconds * 1000) {\n      throw new Error(timeoutError)\n    }\n    const result = await fn()\n    if (result !== null) {\n      return result\n    }\n    const base = Math.pow(2, i)\n    await sleep(Math.random() * base * 50 + base * 150)\n  }\n}\n\nconst parseProperties = (properties: Record<string, any>): Properties => {\n  // maybe should actually parse and not just assume\n  return properties as unknown as Properties\n}\n\nconst parseDomainValidationRecords = (certificate: CertificateDetail): ResourceRecordSet[] | null => {\n  const options = certificate.DomainValidationOptions ?? []\n  console.log('options: ', options)\n  if (options.length > 0 && options.every((opt) => opt.ResourceRecord?.Name)) {\n    const uniqueRecords = [...new Map(options.map((opt) => [opt.ResourceRecord?.Name!, opt.ResourceRecord!])).values()]\n    return uniqueRecords.map((record) => {\n      return {\n        Name: record.Name,\n        Type: record.Type,\n        TTL: 30,\n        ResourceRecords: [\n          {\n            Value: record.Value,\n          },\n        ],\n      }\n    })\n  }\n  return null\n}\n\nconst changeRecordSets = async (\n  route53: Route53Client,\n  action: ChangeAction,\n  records: ResourceRecordSet[],\n  hostedZoneId: string\n): Promise<string> => {\n  const changeRecordSetsInput: ChangeResourceRecordSetsCommandInput = {\n    HostedZoneId: hostedZoneId,\n    ChangeBatch: {\n      Changes: records.map((record) => ({\n        Action: action,\n        ResourceRecordSet: record,\n      })),\n    },\n  }\n  const { ChangeInfo } = await route53.send(new ChangeResourceRecordSetsCommand(changeRecordSetsInput))\n  const result = await waitUntilResourceRecordSetsChanged({ client: route53, maxWaitTime: 180 }, { Id: ChangeInfo?.Id })\n  if (result.state !== 'SUCCESS') {\n    throw new Error(\n      `Record sets never changed for hosted zone ${hostedZoneId}: [${result.state}] ${result.reason ?? ''}`\n    )\n  }\n  return ChangeInfo?.Id!\n}\n\nconst requestCertificate = async (\n  acm: ACMClient,\n  route53: Route53Client,\n  requestId: string,\n  properties: Properties\n): Promise<string> => {\n  const { HostedZoneId, DomainName, SubjectAlternativeNames, TransparencyLoggingEnabled } = properties\n\n  console.log(`Requesting certificate for ${DomainName}`)\n\n  const requestCertificateInput: RequestCertificateCommandInput = {\n    DomainName,\n    SubjectAlternativeNames: SubjectAlternativeNames,\n    IdempotencyToken: crypto.createHash('sha256').update(requestId).digest('hex').slice(0, 32),\n    ValidationMethod: 'DNS',\n    Options: {\n      CertificateTransparencyLoggingPreference: TransparencyLoggingEnabled ? 'ENABLED' : 'DISABLED',\n    },\n  }\n  const { CertificateArn } = await acm.send(new RequestCertificateCommand(requestCertificateInput))\n\n  console.log(`Certificate ${CertificateArn} requested`)\n\n  const validationMaxSeconds = 180\n  const validationTimeoutError = `Domain validation options were not found in ${validationMaxSeconds} seconds`\n  const validationRecords = await tryFor(validationMaxSeconds, validationTimeoutError, async () => {\n    const describeCertificateInput: DescribeCertificateCommandInput = {\n      CertificateArn,\n    }\n    const { Certificate } = await acm.send(new DescribeCertificateCommand(describeCertificateInput))\n    return parseDomainValidationRecords(Certificate!)\n  })\n\n  console.log(`Upserting ${validationRecords.length} validation record(s) into hosted zone ${HostedZoneId}:`)\n  validationRecords.forEach((record) =>\n    console.log(`${record.Name} ${record.Type} ${record.ResourceRecords?.map((rr) => rr.Value).join(',')}`)\n  )\n  const changeId = await changeRecordSets(route53, 'UPSERT', validationRecords, HostedZoneId)\n  console.log(`All validation records changed succesfully for change id ${changeId}`)\n\n  console.log(`Waiting for certificate ${CertificateArn} to validate`)\n  const result = await waitUntilCertificateValidated({ client: acm, maxWaitTime: 300 }, { CertificateArn })\n  if (result.state !== 'SUCCESS') {\n    throw new Error(`Certificate failed ${CertificateArn} to validate: [${result.state}] ${result.reason ?? ''}`)\n  }\n  console.log(`Certificate ${CertificateArn} successfully validated`)\n  return CertificateArn!\n}\n\nconst deleteCertificate = async (\n  acm: ACMClient,\n  route53: Route53Client,\n  certificateArn: string,\n  hostedZoneId: string,\n  cleanupValidationRecords: boolean\n): Promise<void> => {\n  console.log(`Waiting for certificate ${certificateArn} usage to drain before deletion`)\n\n  const waitUsageMaxSeconds = 600\n  const waitUsageTimeoutError = `Certificate was still in use after ${waitUsageMaxSeconds} seconds`\n  const certificate = await tryFor(waitUsageMaxSeconds, waitUsageTimeoutError, async () => {\n    const describeCertificateInput: DescribeCertificateCommandInput = {\n      CertificateArn: certificateArn,\n    }\n    const { Certificate } = await acm.send(new DescribeCertificateCommand(describeCertificateInput))\n    const inUseBy = Certificate?.InUseBy ?? []\n    if (inUseBy.length > 0) {\n      return null\n    }\n    return Certificate!\n  })\n  console.log('Certificate is unused and will be deleted')\n\n  const validationRecords = parseDomainValidationRecords(certificate)\n  if (validationRecords && cleanupValidationRecords) {\n    console.log(`Deleting ${validationRecords.length} validation record(s) from hosted zone ${hostedZoneId}`)\n    try {\n      const changeId = await changeRecordSets(route53, 'DELETE', validationRecords, hostedZoneId)\n      console.log(`All validation records removed successfully for change id ${changeId}`)\n    } catch (error) {\n      if (error instanceof InvalidChangeBatch && error.message.includes('not found')) {\n        // there's a deletion race condition where some other certificate has already deleted the records\n        console.log(`All validation records have already been removed by some other certificate`)\n      } else {\n        throw error\n      }\n    }\n  }\n\n  console.log(`Deleting certificate ${certificateArn}`)\n  const deleteCertificateInput: DeleteCertificateCommandInput = {\n    CertificateArn: certificateArn,\n  }\n  await acm.send(new DeleteCertificateCommand(deleteCertificateInput))\n  console.log(`Certificate ${certificateArn} successfully deleted`)\n}\n\nconst addTags = async (acm: ACMClient, certificateArn: string, tags: Record<string, string>) => {\n  const tagList = Array.from(Object.entries(tags).map(([Key, Value]) => ({ Key, Value })))\n  const addTagsInput: AddTagsToCertificateCommandInput = {\n    CertificateArn: certificateArn,\n    Tags: tagList,\n  }\n\n  console.log(`Adding ${tagList.length} tags to certificate ${certificateArn}`)\n  await acm.send(new AddTagsToCertificateCommand(addTagsInput))\n  console.log(`All tags successfully added to certificate ${certificateArn}`)\n}\n\nconst shouldRequestNew = (oldProperties: Properties, newProperties: Properties): boolean => {\n  if (oldProperties.HostedZoneId !== newProperties.HostedZoneId) return true\n  if (oldProperties.DomainName !== newProperties.DomainName) return true\n  if (oldProperties.CertificateRegion !== newProperties.CertificateRegion) return true\n  if (!containsSame(oldProperties.SubjectAlternativeNames ?? [], newProperties.SubjectAlternativeNames ?? []))\n    return true\n  if (oldProperties.CleanupValidationRecords !== newProperties.CleanupValidationRecords) return true\n  if (oldProperties.TransparencyLoggingEnabled !== newProperties.TransparencyLoggingEnabled) return true\n  if (oldProperties.RemovalPolicy !== newProperties.RemovalPolicy) return true\n  return false\n}\n\nconst assumeRole = (\n  roleArn: string | undefined,\n  externalId: string | undefined\n): Provider<AwsCredentialIdentity> | undefined => {\n  if (!roleArn) {\n    return undefined\n  }\n  return async () => {\n    const sts = new STSClient({ retryMode: 'adaptive' })\n    const assumeRoleInput: AssumeRoleCommandInput = {\n      RoleArn: roleArn,\n      RoleSessionName: 'CertificateRequestor',\n      ExternalId: externalId,\n    }\n    const { Credentials } = await sts.send(new AssumeRoleCommand(assumeRoleInput))\n    return {\n      accessKeyId: Credentials?.AccessKeyId!,\n      secretAccessKey: Credentials?.SecretAccessKey!,\n      sessionToken: Credentials?.SessionToken!,\n      expiration: Credentials?.Expiration,\n    }\n  }\n}\n\nexport const handler = async (event: CloudFormationCustomResourceEvent) => {\n  const properties = parseProperties(event.ResourceProperties)\n\n  const acm = new ACMClient({ region: properties.CertificateRegion, retryMode: 'adaptive' })\n  const route53 = new Route53Client({\n    retryMode: 'adaptive',\n    credentials: assumeRole(properties.ValidationRoleArn, properties.ValidationExternalId),\n  })\n\n  switch (event.RequestType) {\n    case 'Create': {\n      const certificateArn = await requestCertificate(acm, route53, event.RequestId, properties)\n      if (properties.Tags && Object.entries(properties.Tags).length > 0) {\n        await addTags(acm, certificateArn, properties.Tags)\n      }\n      return {\n        PhysicalResourceId: certificateArn,\n        Data: {\n          Arn: certificateArn,\n        },\n      }\n    }\n    case 'Update': {\n      let certificateArn = event.PhysicalResourceId\n      if (shouldRequestNew(parseProperties(event.OldResourceProperties), properties)) {\n        certificateArn = await requestCertificate(acm, route53, event.RequestId, properties)\n      }\n      if (properties.Tags && Object.entries(properties.Tags).length > 0) {\n        await addTags(acm, certificateArn, properties.Tags)\n      }\n      return {\n        PhysicalResourceId: certificateArn,\n        Data: {\n          Arn: certificateArn,\n        },\n      }\n    }\n    case 'Delete': {\n      const certificateArn = event.PhysicalResourceId\n      if (properties.RemovalPolicy === 'destroy') {\n        await deleteCertificate(\n          acm,\n          route53,\n          certificateArn,\n          properties.HostedZoneId,\n          properties.CleanupValidationRecords\n        )\n      }\n      return {\n        PhysicalResourceId: certificateArn,\n        Data: {\n          Arn: certificateArn,\n        },\n      }\n    }\n  }\n  throw new Error(`Invalid request type`)\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,aAAwB;AACxB,wBAYO;AACP,6BAQO;AACP,wBAAqE;AAiBrE,IAAM,QAAQ,CAAC,OAAe,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,EAAE,CAAC;AAE9E,IAAM,eAAe,CAAI,QAAa,WAAyB;AAC7D,MAAI,OAAO,WAAW,OAAO;AAAQ,WAAO;AAC5C,SAAO,OAAO,MAAM,CAAC,OAAO,OAAO,SAAS,EAAE,CAAC;AACjD;AAEA,IAAM,SAAS,OAAU,YAAoB,cAAsB,OAA4C;AAC7G,QAAM,YAAY,KAAK,IAAI;AAE3B,WAAS,IAAI,GAAG,MAAM,KAAK;AACzB,QAAI,KAAK,IAAI,IAAI,YAAY,aAAa,KAAM;AAC9C,YAAM,IAAI,MAAM,YAAY;AAAA,IAC9B;AACA,UAAM,SAAS,MAAM,GAAG;AACxB,QAAI,WAAW,MAAM;AACnB,aAAO;AAAA,IACT;AACA,UAAM,OAAO,KAAK,IAAI,GAAG,CAAC;AAC1B,UAAM,MAAM,KAAK,OAAO,IAAI,OAAO,KAAK,OAAO,GAAG;AAAA,EACpD;AACF;AAEA,IAAM,kBAAkB,CAAC,eAAgD;AAEvE,SAAO;AACT;AAEA,IAAM,+BAA+B,CAAC,gBAA+D;AACnG,QAAM,UAAU,YAAY,2BAA2B,CAAC;AACxD,UAAQ,IAAI,aAAa,OAAO;AAChC,MAAI,QAAQ,SAAS,KAAK,QAAQ,MAAM,CAAC,QAAQ,IAAI,gBAAgB,IAAI,GAAG;AAC1E,UAAM,gBAAgB,CAAC,GAAG,IAAI,IAAI,QAAQ,IAAI,CAAC,QAAQ,CAAC,IAAI,gBAAgB,MAAO,IAAI,cAAe,CAAC,CAAC,EAAE,OAAO,CAAC;AAClH,WAAO,cAAc,IAAI,CAAC,WAAW;AACnC,aAAO;AAAA,QACL,MAAM,OAAO;AAAA,QACb,MAAM,OAAO;AAAA,QACb,KAAK;AAAA,QACL,iBAAiB;AAAA,UACf;AAAA,YACE,OAAO,OAAO;AAAA,UAChB;AAAA,QACF;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEA,IAAM,mBAAmB,OACvB,SACA,QACA,SACA,iBACoB;AACpB,QAAM,wBAA8D;AAAA,IAClE,cAAc;AAAA,IACd,aAAa;AAAA,MACX,SAAS,QAAQ,IAAI,CAAC,YAAY;AAAA,QAChC,QAAQ;AAAA,QACR,mBAAmB;AAAA,MACrB,EAAE;AAAA,IACJ;AAAA,EACF;AACA,QAAM,EAAE,WAAW,IAAI,MAAM,QAAQ,KAAK,IAAI,uDAAgC,qBAAqB,CAAC;AACpG,QAAM,SAAS,UAAM,2DAAmC,EAAE,QAAQ,SAAS,aAAa,IAAI,GAAG,EAAE,IAAI,YAAY,GAAG,CAAC;AACrH,MAAI,OAAO,UAAU,WAAW;AAC9B,UAAM,IAAI;AAAA,MACR,6CAA6C,kBAAkB,OAAO,UAAU,OAAO,UAAU;AAAA,IACnG;AAAA,EACF;AACA,SAAO,YAAY;AACrB;AAEA,IAAM,qBAAqB,OACzB,KACA,SACA,WACA,eACoB;AACpB,QAAM,EAAE,cAAc,YAAY,yBAAyB,2BAA2B,IAAI;AAE1F,UAAQ,IAAI,8BAA8B,YAAY;AAEtD,QAAM,0BAA0D;AAAA,IAC9D;AAAA,IACA;AAAA,IACA,kBAAyB,kBAAW,QAAQ,EAAE,OAAO,SAAS,EAAE,OAAO,KAAK,EAAE,MAAM,GAAG,EAAE;AAAA,IACzF,kBAAkB;AAAA,IAClB,SAAS;AAAA,MACP,0CAA0C,6BAA6B,YAAY;AAAA,IACrF;AAAA,EACF;AACA,QAAM,EAAE,eAAe,IAAI,MAAM,IAAI,KAAK,IAAI,4CAA0B,uBAAuB,CAAC;AAEhG,UAAQ,IAAI,eAAe,0BAA0B;AAErD,QAAM,uBAAuB;AAC7B,QAAM,yBAAyB,+CAA+C;AAC9E,QAAM,oBAAoB,MAAM,OAAO,sBAAsB,wBAAwB,YAAY;AAC/F,UAAM,2BAA4D;AAAA,MAChE;AAAA,IACF;AACA,UAAM,EAAE,YAAY,IAAI,MAAM,IAAI,KAAK,IAAI,6CAA2B,wBAAwB,CAAC;AAC/F,WAAO,6BAA6B,WAAY;AAAA,EAClD,CAAC;AAED,UAAQ,IAAI,aAAa,kBAAkB,gDAAgD,eAAe;AAC1G,oBAAkB;AAAA,IAAQ,CAAC,WACzB,QAAQ,IAAI,GAAG,OAAO,QAAQ,OAAO,QAAQ,OAAO,iBAAiB,IAAI,CAAC,OAAO,GAAG,KAAK,EAAE,KAAK,GAAG,GAAG;AAAA,EACxG;AACA,QAAM,WAAW,MAAM,iBAAiB,SAAS,UAAU,mBAAmB,YAAY;AAC1F,UAAQ,IAAI,4DAA4D,UAAU;AAElF,UAAQ,IAAI,2BAA2B,4BAA4B;AACnE,QAAM,SAAS,UAAM,iDAA8B,EAAE,QAAQ,KAAK,aAAa,IAAI,GAAG,EAAE,eAAe,CAAC;AACxG,MAAI,OAAO,UAAU,WAAW;AAC9B,UAAM,IAAI,MAAM,sBAAsB,gCAAgC,OAAO,UAAU,OAAO,UAAU,IAAI;AAAA,EAC9G;AACA,UAAQ,IAAI,eAAe,uCAAuC;AAClE,SAAO;AACT;AAEA,IAAM,oBAAoB,OACxB,KACA,SACA,gBACA,cACA,6BACkB;AAClB,UAAQ,IAAI,2BAA2B,+CAA+C;AAEtF,QAAM,sBAAsB;AAC5B,QAAM,wBAAwB,sCAAsC;AACpE,QAAM,cAAc,MAAM,OAAO,qBAAqB,uBAAuB,YAAY;AACvF,UAAM,2BAA4D;AAAA,MAChE,gBAAgB;AAAA,IAClB;AACA,UAAM,EAAE,YAAY,IAAI,MAAM,IAAI,KAAK,IAAI,6CAA2B,wBAAwB,CAAC;AAC/F,UAAM,UAAU,aAAa,WAAW,CAAC;AACzC,QAAI,QAAQ,SAAS,GAAG;AACtB,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,CAAC;AACD,UAAQ,IAAI,2CAA2C;AAEvD,QAAM,oBAAoB,6BAA6B,WAAW;AAClE,MAAI,qBAAqB,0BAA0B;AACjD,YAAQ,IAAI,YAAY,kBAAkB,gDAAgD,cAAc;AACxG,QAAI;AACF,YAAM,WAAW,MAAM,iBAAiB,SAAS,UAAU,mBAAmB,YAAY;AAC1F,cAAQ,IAAI,6DAA6D,UAAU;AAAA,IACrF,SAAS,OAAP;AACA,UAAI,iBAAiB,6CAAsB,MAAM,QAAQ,SAAS,WAAW,GAAG;AAE9E,gBAAQ,IAAI,4EAA4E;AAAA,MAC1F,OAAO;AACL,cAAM;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,UAAQ,IAAI,wBAAwB,gBAAgB;AACpD,QAAM,yBAAwD;AAAA,IAC5D,gBAAgB;AAAA,EAClB;AACA,QAAM,IAAI,KAAK,IAAI,2CAAyB,sBAAsB,CAAC;AACnE,UAAQ,IAAI,eAAe,qCAAqC;AAClE;AAEA,IAAM,UAAU,OAAO,KAAgB,gBAAwB,SAAiC;AAC9F,QAAM,UAAU,MAAM,KAAK,OAAO,QAAQ,IAAI,EAAE,IAAI,CAAC,CAAC,KAAK,KAAK,OAAO,EAAE,KAAK,MAAM,EAAE,CAAC;AACvF,QAAM,eAAiD;AAAA,IACrD,gBAAgB;AAAA,IAChB,MAAM;AAAA,EACR;AAEA,UAAQ,IAAI,UAAU,QAAQ,8BAA8B,gBAAgB;AAC5E,QAAM,IAAI,KAAK,IAAI,8CAA4B,YAAY,CAAC;AAC5D,UAAQ,IAAI,8CAA8C,gBAAgB;AAC5E;AAEA,IAAM,mBAAmB,CAAC,eAA2B,kBAAuC;AAC1F,MAAI,cAAc,iBAAiB,cAAc;AAAc,WAAO;AACtE,MAAI,cAAc,eAAe,cAAc;AAAY,WAAO;AAClE,MAAI,cAAc,sBAAsB,cAAc;AAAmB,WAAO;AAChF,MAAI,CAAC,aAAa,cAAc,2BAA2B,CAAC,GAAG,cAAc,2BAA2B,CAAC,CAAC;AACxG,WAAO;AACT,MAAI,cAAc,6BAA6B,cAAc;AAA0B,WAAO;AAC9F,MAAI,cAAc,+BAA+B,cAAc;AAA4B,WAAO;AAClG,MAAI,cAAc,kBAAkB,cAAc;AAAe,WAAO;AACxE,SAAO;AACT;AAEA,IAAM,aAAa,CACjB,SACA,eACgD;AAChD,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,EACT;AACA,SAAO,YAAY;AACjB,UAAM,MAAM,IAAI,4BAAU,EAAE,WAAW,WAAW,CAAC;AACnD,UAAM,kBAA0C;AAAA,MAC9C,SAAS;AAAA,MACT,iBAAiB;AAAA,MACjB,YAAY;AAAA,IACd;AACA,UAAM,EAAE,YAAY,IAAI,MAAM,IAAI,KAAK,IAAI,oCAAkB,eAAe,CAAC;AAC7E,WAAO;AAAA,MACL,aAAa,aAAa;AAAA,MAC1B,iBAAiB,aAAa;AAAA,MAC9B,cAAc,aAAa;AAAA,MAC3B,YAAY,aAAa;AAAA,IAC3B;AAAA,EACF;AACF;AAEO,IAAM,UAAU,OAAO,UAA6C;AACzE,QAAM,aAAa,gBAAgB,MAAM,kBAAkB;AAE3D,QAAM,MAAM,IAAI,4BAAU,EAAE,QAAQ,WAAW,mBAAmB,WAAW,WAAW,CAAC;AACzF,QAAM,UAAU,IAAI,qCAAc;AAAA,IAChC,WAAW;AAAA,IACX,aAAa,WAAW,WAAW,mBAAmB,WAAW,oBAAoB;AAAA,EACvF,CAAC;AAED,UAAQ,MAAM,aAAa;AAAA,IACzB,KAAK,UAAU;AACb,YAAM,iBAAiB,MAAM,mBAAmB,KAAK,SAAS,MAAM,WAAW,UAAU;AACzF,UAAI,WAAW,QAAQ,OAAO,QAAQ,WAAW,IAAI,EAAE,SAAS,GAAG;AACjE,cAAM,QAAQ,KAAK,gBAAgB,WAAW,IAAI;AAAA,MACpD;AACA,aAAO;AAAA,QACL,oBAAoB;AAAA,QACpB,MAAM;AAAA,UACJ,KAAK;AAAA,QACP;AAAA,MACF;AAAA,IACF;AAAA,IACA,KAAK,UAAU;AACb,UAAI,iBAAiB,MAAM;AAC3B,UAAI,iBAAiB,gBAAgB,MAAM,qBAAqB,GAAG,UAAU,GAAG;AAC9E,yBAAiB,MAAM,mBAAmB,KAAK,SAAS,MAAM,WAAW,UAAU;AAAA,MACrF;AACA,UAAI,WAAW,QAAQ,OAAO,QAAQ,WAAW,IAAI,EAAE,SAAS,GAAG;AACjE,cAAM,QAAQ,KAAK,gBAAgB,WAAW,IAAI;AAAA,MACpD;AACA,aAAO;AAAA,QACL,oBAAoB;AAAA,QACpB,MAAM;AAAA,UACJ,KAAK;AAAA,QACP;AAAA,MACF;AAAA,IACF;AAAA,IACA,KAAK,UAAU;AACb,YAAM,iBAAiB,MAAM;AAC7B,UAAI,WAAW,kBAAkB,WAAW;AAC1C,cAAM;AAAA,UACJ;AAAA,UACA;AAAA,UACA;AAAA,UACA,WAAW;AAAA,UACX,WAAW;AAAA,QACb;AAAA,MACF;AACA,aAAO;AAAA,QACL,oBAAoB;AAAA,QACpB,MAAM;AAAA,UACJ,KAAK;AAAA,QACP;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACA,QAAM,IAAI,MAAM,sBAAsB;AACxC;",
+  "names": []
+}

package/lib/certificate-requestor-function.d.ts

@@ -0,0 +1,13 @@
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { Construct } from 'constructs';
+/**
+ * Props for CertificateRequestorFunction
+ */
+export interface CertificateRequestorFunctionProps extends lambda.FunctionOptions {
+}
+/**
+ * An AWS Lambda function which executes src/certificate-requestor.
+ */
+export declare class CertificateRequestorFunction extends lambda.Function {
+    constructor(scope: Construct, id: string, props?: CertificateRequestorFunctionProps);
+}

package/lib/certificate-requestor-function.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertificateRequestorFunction = void 0;
+// ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen".
+const path = require("path");
+const lambda = require("aws-cdk-lib/aws-lambda");
+/**
+ * An AWS Lambda function which executes src/certificate-requestor.
+ */
+class CertificateRequestorFunction extends lambda.Function {
+    constructor(scope, id, props) {
+        super(scope, id, {
+            description: 'src/certificate-requestor.lambda.ts',
+            ...props,
+            runtime: new lambda.Runtime('nodejs18.x', lambda.RuntimeFamily.NODEJS),
+            handler: 'index.handler',
+            code: lambda.Code.fromAsset(path.join(__dirname, '../assets/certificate-requestor.lambda')),
+        });
+        this.addEnvironment('AWS_NODEJS_CONNECTION_REUSE_ENABLED', '1', { removeInEdge: true });
+    }
+}
+exports.CertificateRequestorFunction = CertificateRequestorFunction;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2VydGlmaWNhdGUtcmVxdWVzdG9yLWZ1bmN0aW9uLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vc3JjL2NlcnRpZmljYXRlLXJlcXVlc3Rvci1mdW5jdGlvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSw2RUFBNkU7QUFDN0UsNkJBQTZCO0FBQzdCLGlEQUFpRDtBQVNqRDs7R0FFRztBQUNILE1BQWEsNEJBQTZCLFNBQVEsTUFBTSxDQUFDLFFBQVE7SUFDL0QsWUFBWSxLQUFnQixFQUFFLEVBQVUsRUFBRSxLQUF5QztRQUNqRixLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsRUFBRTtZQUNmLFdBQVcsRUFBRSxxQ0FBcUM7WUFDbEQsR0FBRyxLQUFLO1lBQ1IsT0FBTyxFQUFFLElBQUksTUFBTSxDQUFDLE9BQU8sQ0FBQyxZQUFZLEVBQUUsTUFBTSxDQUFDLGFBQWEsQ0FBQyxNQUFNLENBQUM7WUFDdEUsT0FBTyxFQUFFLGVBQWU7WUFDeEIsSUFBSSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFLHdDQUF3QyxDQUFDLENBQUM7U0FDNUYsQ0FBQyxDQUFDO1FBQ0gsSUFBSSxDQUFDLGNBQWMsQ0FBQyxxQ0FBcUMsRUFBRSxHQUFHLEVBQUUsRUFBRSxZQUFZLEVBQUUsSUFBSSxFQUFFLENBQUMsQ0FBQztJQUMxRixDQUFDO0NBQ0Y7QUFYRCxvRUFXQyIsInNvdXJjZXNDb250ZW50IjpbIi8vIH5+IEdlbmVyYXRlZCBieSBwcm9qZW4uIFRvIG1vZGlmeSwgZWRpdCAucHJvamVucmMudHMgYW5kIHJ1biBcIm5weCBwcm9qZW5cIi5cbmltcG9ydCAqIGFzIHBhdGggZnJvbSAncGF0aCc7XG5pbXBvcnQgKiBhcyBsYW1iZGEgZnJvbSAnYXdzLWNkay1saWIvYXdzLWxhbWJkYSc7XG5pbXBvcnQgeyBDb25zdHJ1Y3QgfSBmcm9tICdjb25zdHJ1Y3RzJztcblxuLyoqXG4gKiBQcm9wcyBmb3IgQ2VydGlmaWNhdGVSZXF1ZXN0b3JGdW5jdGlvblxuICovXG5leHBvcnQgaW50ZXJmYWNlIENlcnRpZmljYXRlUmVxdWVzdG9yRnVuY3Rpb25Qcm9wcyBleHRlbmRzIGxhbWJkYS5GdW5jdGlvbk9wdGlvbnMge1xufVxuXG4vKipcbiAqIEFuIEFXUyBMYW1iZGEgZnVuY3Rpb24gd2hpY2ggZXhlY3V0ZXMgc3JjL2NlcnRpZmljYXRlLXJlcXVlc3Rvci5cbiAqL1xuZXhwb3J0IGNsYXNzIENlcnRpZmljYXRlUmVxdWVzdG9yRnVuY3Rpb24gZXh0ZW5kcyBsYW1iZGEuRnVuY3Rpb24ge1xuICBjb25zdHJ1Y3RvcihzY29wZTogQ29uc3RydWN0LCBpZDogc3RyaW5nLCBwcm9wcz86IENlcnRpZmljYXRlUmVxdWVzdG9yRnVuY3Rpb25Qcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZCwge1xuICAgICAgZGVzY3JpcHRpb246ICdzcmMvY2VydGlmaWNhdGUtcmVxdWVzdG9yLmxhbWJkYS50cycsXG4gICAgICAuLi5wcm9wcyxcbiAgICAgIHJ1bnRpbWU6IG5ldyBsYW1iZGEuUnVudGltZSgnbm9kZWpzMTgueCcsIGxhbWJkYS5SdW50aW1lRmFtaWx5Lk5PREVKUyksXG4gICAgICBoYW5kbGVyOiAnaW5kZXguaGFuZGxlcicsXG4gICAgICBjb2RlOiBsYW1iZGEuQ29kZS5mcm9tQXNzZXQocGF0aC5qb2luKF9fZGlybmFtZSwgJy4uL2Fzc2V0cy9jZXJ0aWZpY2F0ZS1yZXF1ZXN0b3IubGFtYmRhJykpLFxuICAgIH0pO1xuICAgIHRoaXMuYWRkRW52aXJvbm1lbnQoJ0FXU19OT0RFSlNfQ09OTkVDVElPTl9SRVVTRV9FTkFCTEVEJywgJzEnLCB7IHJlbW92ZUluRWRnZTogdHJ1ZSB9KTtcbiAgfVxufSJdfQ==