@trautonen/cdk-dns-validated-certificate 0.0.53 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.jsii +90 -73
- package/API.md +129 -65
- package/README.md +31 -4
- package/assets/certificate-requestor.lambda/index.js +116 -37
- package/assets/certificate-requestor.lambda/index.js.map +2 -2
- package/lib/certificate-requestor.lambda.d.ts +8 -4
- package/lib/certificate-requestor.lambda.js +75 -33
- package/lib/dns-validated-certificate.d.ts +73 -40
- package/lib/dns-validated-certificate.js +73 -37
- package/lib/utils.d.ts +4 -0
- package/lib/utils.js +33 -2
- package/package.json +1 -1
package/.jsii
CHANGED
|
@@ -3485,7 +3485,7 @@
|
|
|
3485
3485
|
},
|
|
3486
3486
|
"name": "@trautonen/cdk-dns-validated-certificate",
|
|
3487
3487
|
"readme": {
|
|
3488
|
-
"markdown": "# AWS CDK DNS Validated Certificate\n\nCDK does not have a built in construct to manage cross-region or cross-account DNS validated certificates. There's an
|
|
3488
|
+
"markdown": "# AWS CDK DNS Validated Certificate\n\nCDK does not have a built in construct to manage cross-region or cross-account DNS validated certificates. There's an\nattempt to work around the issue with a cross region references option for stacks, but it has a lot of issues and still\ndoes not solve the cross-account use case.\n\nThis construct solves these problems by managing the certificate as a custom resource and with direct API calls to ACM\nand Route53. In the future it will be possible to support not only Route53, but other DNS services too.\n\n## Usage for cross-region validation\n\n```typescript\n// hosted zone managed by the CDK application\nconst hostedZone: route53.IHostedZone = ...\n// no separate validation role is needed\nconst certificate = new DnsValidatedCertificate(this, 'CrossRegionCertificate', {\n hostedZone: hostedZone,\n domainName: 'example.com', // must be compatible with the hosted zone\n certificateRegion: 'us-east-1' // used by for example CloudFront\n})\n```\n\n## Usage for cross-account validation\n\n```typescript\n// external hosted zone\nconst hostedZone: route53.IHostedZone = route53.HostedZone.fromHostedZoneAttributes(this, 'HostedZone', {\n hostedZoneId: 'Z532DGDEDFS123456789',\n zoneName: 'example.com',\n})\n// validation role on the same account as the hosted zone\nconst roleArn = 'arn:aws:iam::123456789:role/ChangeDnsRecordsRole'\nconst externalId = 'domain-assume'\nconst validationRole: iam.IRole = iam.Role.fromRoleArn(this, 'ValidationRole', roleArn)\nconst certificate = new DnsValidatedCertificate(this, 'CrossAccountCertificate', {\n hostedZone: hostedZone,\n domainName: 'example.com',\n validationRole: validationRole,\n validationExternalId: externalId,\n})\n```\n\n## Usage for cross-account alternative names validation\n\n```typescript\n// example.com is validated on same account against managed hosted zone\n// and secondary.com is validated against external hosted zone on other account\nconst hostedZoneForMain: route53.IHostedZone = ...\nconst hostedZoneForAlternative: route53.IHostedZone =\n route53.HostedZone.fromHostedZoneAttributes(this, 'SecondaryHostedZone', {\n hostedZoneId: 'Z532DGDEDFS123456789',\n zoneName: 'secondary.com'\n})\nconst certificate = new DnsValidatedCertificate(this, 'CrossAccountCertificate', {\n domainName: 'example.com',\n alternativeDomainNames: ['secondary.com'],\n validationHostedZones: [{\n hostedZone: hostedZoneForMain\n },{\n hostedZone: hostedZoneForAlternative,\n validationRole: iam.Role.fromRoleArn(\n this, 'SecondaryValidationRole', 'arn:aws:iam::123456789:role/ChangeDnsRecordsRole'\n ),\n validationExternalId: 'domain-assume'\n }]\n})\n```\n"
|
|
3489
3489
|
},
|
|
3490
3490
|
"repository": {
|
|
3491
3491
|
"type": "git",
|
|
@@ -3502,7 +3502,7 @@
|
|
|
3502
3502
|
"assembly": "@trautonen/cdk-dns-validated-certificate",
|
|
3503
3503
|
"base": "aws-cdk-lib.Resource",
|
|
3504
3504
|
"docs": {
|
|
3505
|
-
"example": "//
|
|
3505
|
+
"example": "// ### Cross-region certificate validation\n// hosted zone managed by the CDK application\nconst hostedZone: route53.IHostedZone = ...\n// no separate validation role is needed\nconst certificate = new DnsValidatedCertificate(this, 'CrossRegionCertificate', {\n domainName: 'example.com', // must be compatible with the hosted zone\n validationHostedZones: [{ // hosted zone used with the execution role's permissions\n hostedZone: hostedZone\n }],\n certificateRegion: 'us-east-1' // used by for example CloudFront\n})\n// ### Cross-account certificate validation\n// external hosted zone\nconst hostedZone: route53.IHostedZone =\n route53.HostedZone.fromHostedZoneAttributes(this, 'HostedZone', {\n hostedZoneId: 'Z532DGDEDFS123456789',\n zoneName: 'example.com'\n })\n// validation role in the same account as the hosted zone\nconst roleArn = 'arn:aws:iam::123456789:role/ChangeDnsRecordsRole'\nconst externalId = 'domain-assume'\nconst validationRole: iam.IRole =\n iam.Role.fromRoleArn(this, 'ValidationRole', roleArn)\nconst certificate = new DnsValidatedCertificate(this, 'CrossAccountCertificate', {\n domainName: 'example.com',\n validationHostedZones: [{\n hostedZone: hostedZone,\n validationRole: validationRole,\n validationExternalId: externalId\n }]\n})\n// ### Cross-account alternative name validation\n// example.com is validated on same account against managed hosted zone\n// and secondary.com is validated against external hosted zone on other account\nconst hostedZoneForMain: route53.IHostedZone = ...\nconst hostedZoneForAlternative: route53.IHostedZone =\n route53.HostedZone.fromHostedZoneAttributes(this, 'SecondaryHostedZone', {\n hostedZoneId: 'Z532DGDEDFS123456789',\n zoneName: 'secondary.com'\n })\nconst certificate = new DnsValidatedCertificate(this, 'CrossAccountCertificate', {\n domainName: 'example.com',\n alternativeDomainNames: ['secondary.com'],\n validationHostedZones: [{\n hostedZone: hostedZoneForMain\n },{\n hostedZone: hostedZoneForAlternative,\n validationRole: iam.Role.fromRoleArn(\n this, 'SecondaryValidationRole', 'arn:aws:iam::123456789:role/ChangeDnsRecordsRole'\n ),\n validationExternalId: 'domain-assume'\n }]\n})@resource[object Object]@resource[object Object]",
|
|
3506
3506
|
"remarks": "Will be automatically validated using DNS validation against the\nspecified Route 53 hosted zone. This construct should be used only for cross-region or cross-account certificate\nvalidations. The default ``Certificate`` construct is better in cases where everything is managed by the CDK\napplication.\n\nPlease note that this construct does not support alternative names yet as it would require domain to role mapping.",
|
|
3507
3507
|
"stability": "stable",
|
|
3508
3508
|
"summary": "A certificate managed by AWS Certificate Manager."
|
|
@@ -3515,7 +3515,7 @@
|
|
|
3515
3515
|
},
|
|
3516
3516
|
"locationInModule": {
|
|
3517
3517
|
"filename": "src/dns-validated-certificate.ts",
|
|
3518
|
-
"line":
|
|
3518
|
+
"line": 213
|
|
3519
3519
|
},
|
|
3520
3520
|
"parameters": [
|
|
3521
3521
|
{
|
|
@@ -3554,7 +3554,7 @@
|
|
|
3554
3554
|
"kind": "class",
|
|
3555
3555
|
"locationInModule": {
|
|
3556
3556
|
"filename": "src/dns-validated-certificate.ts",
|
|
3557
|
-
"line":
|
|
3557
|
+
"line": 193
|
|
3558
3558
|
},
|
|
3559
3559
|
"methods": [
|
|
3560
3560
|
{
|
|
@@ -3565,7 +3565,7 @@
|
|
|
3565
3565
|
},
|
|
3566
3566
|
"locationInModule": {
|
|
3567
3567
|
"filename": "src/dns-validated-certificate.ts",
|
|
3568
|
-
"line":
|
|
3568
|
+
"line": 338
|
|
3569
3569
|
},
|
|
3570
3570
|
"name": "applyRemovalPolicy",
|
|
3571
3571
|
"overrides": "aws-cdk-lib.Resource",
|
|
@@ -3586,7 +3586,7 @@
|
|
|
3586
3586
|
},
|
|
3587
3587
|
"locationInModule": {
|
|
3588
3588
|
"filename": "src/dns-validated-certificate.ts",
|
|
3589
|
-
"line":
|
|
3589
|
+
"line": 326
|
|
3590
3590
|
},
|
|
3591
3591
|
"name": "metricDaysToExpiry",
|
|
3592
3592
|
"overrides": "aws-cdk-lib.aws_certificatemanager.ICertificate",
|
|
@@ -3616,7 +3616,7 @@
|
|
|
3616
3616
|
"immutable": true,
|
|
3617
3617
|
"locationInModule": {
|
|
3618
3618
|
"filename": "src/dns-validated-certificate.ts",
|
|
3619
|
-
"line":
|
|
3619
|
+
"line": 195
|
|
3620
3620
|
},
|
|
3621
3621
|
"name": "certificateArn",
|
|
3622
3622
|
"overrides": "aws-cdk-lib.aws_certificatemanager.ICertificate",
|
|
@@ -3632,58 +3632,13 @@
|
|
|
3632
3632
|
"immutable": true,
|
|
3633
3633
|
"locationInModule": {
|
|
3634
3634
|
"filename": "src/dns-validated-certificate.ts",
|
|
3635
|
-
"line":
|
|
3635
|
+
"line": 198
|
|
3636
3636
|
},
|
|
3637
3637
|
"name": "certificateRegion",
|
|
3638
3638
|
"type": {
|
|
3639
3639
|
"primitive": "string"
|
|
3640
3640
|
}
|
|
3641
3641
|
},
|
|
3642
|
-
{
|
|
3643
|
-
"docs": {
|
|
3644
|
-
"stability": "stable",
|
|
3645
|
-
"summary": "The domain name included in the certificate."
|
|
3646
|
-
},
|
|
3647
|
-
"immutable": true,
|
|
3648
|
-
"locationInModule": {
|
|
3649
|
-
"filename": "src/dns-validated-certificate.ts",
|
|
3650
|
-
"line": 166
|
|
3651
|
-
},
|
|
3652
|
-
"name": "domainName",
|
|
3653
|
-
"type": {
|
|
3654
|
-
"primitive": "string"
|
|
3655
|
-
}
|
|
3656
|
-
},
|
|
3657
|
-
{
|
|
3658
|
-
"docs": {
|
|
3659
|
-
"stability": "stable",
|
|
3660
|
-
"summary": "The hosted zone identifier authoritative for the certificate."
|
|
3661
|
-
},
|
|
3662
|
-
"immutable": true,
|
|
3663
|
-
"locationInModule": {
|
|
3664
|
-
"filename": "src/dns-validated-certificate.ts",
|
|
3665
|
-
"line": 160
|
|
3666
|
-
},
|
|
3667
|
-
"name": "hostedZoneId",
|
|
3668
|
-
"type": {
|
|
3669
|
-
"primitive": "string"
|
|
3670
|
-
}
|
|
3671
|
-
},
|
|
3672
|
-
{
|
|
3673
|
-
"docs": {
|
|
3674
|
-
"stability": "stable",
|
|
3675
|
-
"summary": "The hosted zone name authoritative for the certificate."
|
|
3676
|
-
},
|
|
3677
|
-
"immutable": true,
|
|
3678
|
-
"locationInModule": {
|
|
3679
|
-
"filename": "src/dns-validated-certificate.ts",
|
|
3680
|
-
"line": 163
|
|
3681
|
-
},
|
|
3682
|
-
"name": "hostedZoneName",
|
|
3683
|
-
"type": {
|
|
3684
|
-
"primitive": "string"
|
|
3685
|
-
}
|
|
3686
|
-
},
|
|
3687
3642
|
{
|
|
3688
3643
|
"docs": {
|
|
3689
3644
|
"stability": "stable",
|
|
@@ -3692,7 +3647,7 @@
|
|
|
3692
3647
|
"immutable": true,
|
|
3693
3648
|
"locationInModule": {
|
|
3694
3649
|
"filename": "src/dns-validated-certificate.ts",
|
|
3695
|
-
"line":
|
|
3650
|
+
"line": 201
|
|
3696
3651
|
},
|
|
3697
3652
|
"name": "tags",
|
|
3698
3653
|
"overrides": "aws-cdk-lib.ITaggable",
|
|
@@ -3713,7 +3668,7 @@
|
|
|
3713
3668
|
"kind": "interface",
|
|
3714
3669
|
"locationInModule": {
|
|
3715
3670
|
"filename": "src/dns-validated-certificate.ts",
|
|
3716
|
-
"line":
|
|
3671
|
+
"line": 45
|
|
3717
3672
|
},
|
|
3718
3673
|
"name": "DnsValidatedCertificateProps",
|
|
3719
3674
|
"properties": [
|
|
@@ -3727,7 +3682,7 @@
|
|
|
3727
3682
|
"immutable": true,
|
|
3728
3683
|
"locationInModule": {
|
|
3729
3684
|
"filename": "src/dns-validated-certificate.ts",
|
|
3730
|
-
"line":
|
|
3685
|
+
"line": 51
|
|
3731
3686
|
},
|
|
3732
3687
|
"name": "domainName",
|
|
3733
3688
|
"type": {
|
|
@@ -3737,18 +3692,46 @@
|
|
|
3737
3692
|
{
|
|
3738
3693
|
"abstract": true,
|
|
3739
3694
|
"docs": {
|
|
3740
|
-
"remarks": "
|
|
3695
|
+
"remarks": "Hosted zones are mapped to domain names by the zone name.",
|
|
3741
3696
|
"stability": "stable",
|
|
3742
|
-
"summary": "
|
|
3697
|
+
"summary": "List of hosted zones to use for validation."
|
|
3743
3698
|
},
|
|
3744
3699
|
"immutable": true,
|
|
3745
3700
|
"locationInModule": {
|
|
3746
3701
|
"filename": "src/dns-validated-certificate.ts",
|
|
3747
|
-
"line":
|
|
3702
|
+
"line": 63
|
|
3748
3703
|
},
|
|
3749
|
-
"name": "
|
|
3704
|
+
"name": "validationHostedZones",
|
|
3750
3705
|
"type": {
|
|
3751
|
-
"
|
|
3706
|
+
"collection": {
|
|
3707
|
+
"elementtype": {
|
|
3708
|
+
"fqn": "@trautonen/cdk-dns-validated-certificate.ValidationHostedZone"
|
|
3709
|
+
},
|
|
3710
|
+
"kind": "array"
|
|
3711
|
+
}
|
|
3712
|
+
}
|
|
3713
|
+
},
|
|
3714
|
+
{
|
|
3715
|
+
"abstract": true,
|
|
3716
|
+
"docs": {
|
|
3717
|
+
"remarks": "May contain wildcards, such as ``*.otherdomain.com``.",
|
|
3718
|
+
"stability": "stable",
|
|
3719
|
+
"summary": "Fully-qualified alternative domain names to request a certificate for."
|
|
3720
|
+
},
|
|
3721
|
+
"immutable": true,
|
|
3722
|
+
"locationInModule": {
|
|
3723
|
+
"filename": "src/dns-validated-certificate.ts",
|
|
3724
|
+
"line": 58
|
|
3725
|
+
},
|
|
3726
|
+
"name": "alternativeDomainNames",
|
|
3727
|
+
"optional": true,
|
|
3728
|
+
"type": {
|
|
3729
|
+
"collection": {
|
|
3730
|
+
"elementtype": {
|
|
3731
|
+
"primitive": "string"
|
|
3732
|
+
},
|
|
3733
|
+
"kind": "array"
|
|
3734
|
+
}
|
|
3752
3735
|
}
|
|
3753
3736
|
},
|
|
3754
3737
|
{
|
|
@@ -3762,7 +3745,7 @@
|
|
|
3762
3745
|
"immutable": true,
|
|
3763
3746
|
"locationInModule": {
|
|
3764
3747
|
"filename": "src/dns-validated-certificate.ts",
|
|
3765
|
-
"line":
|
|
3748
|
+
"line": 73
|
|
3766
3749
|
},
|
|
3767
3750
|
"name": "certificateRegion",
|
|
3768
3751
|
"optional": true,
|
|
@@ -3781,7 +3764,7 @@
|
|
|
3781
3764
|
"immutable": true,
|
|
3782
3765
|
"locationInModule": {
|
|
3783
3766
|
"filename": "src/dns-validated-certificate.ts",
|
|
3784
|
-
"line":
|
|
3767
|
+
"line": 96
|
|
3785
3768
|
},
|
|
3786
3769
|
"name": "cleanupValidationRecords",
|
|
3787
3770
|
"optional": true,
|
|
@@ -3793,14 +3776,14 @@
|
|
|
3793
3776
|
"abstract": true,
|
|
3794
3777
|
"docs": {
|
|
3795
3778
|
"default": "- Lambda creates a default execution role.",
|
|
3796
|
-
"remarks": "The role is given permissions to request certificates from ACM. If
|
|
3779
|
+
"remarks": "The role is given permissions to request certificates from ACM. If there are any ``validationRole``s provided,\nthis role is also given permission to assume the ``validationRole``. Otherwise it is assumed that the hosted zone\nis in same account and the execution role is given permissions to change DNS records for the given ``domainName``.",
|
|
3797
3780
|
"stability": "stable",
|
|
3798
3781
|
"summary": "The role that is used for the custom resource Lambda execution."
|
|
3799
3782
|
},
|
|
3800
3783
|
"immutable": true,
|
|
3801
3784
|
"locationInModule": {
|
|
3802
3785
|
"filename": "src/dns-validated-certificate.ts",
|
|
3803
|
-
"line":
|
|
3786
|
+
"line": 84
|
|
3804
3787
|
},
|
|
3805
3788
|
"name": "customResourceRole",
|
|
3806
3789
|
"optional": true,
|
|
@@ -3819,7 +3802,7 @@
|
|
|
3819
3802
|
"immutable": true,
|
|
3820
3803
|
"locationInModule": {
|
|
3821
3804
|
"filename": "src/dns-validated-certificate.ts",
|
|
3822
|
-
"line":
|
|
3805
|
+
"line": 121
|
|
3823
3806
|
},
|
|
3824
3807
|
"name": "removalPolicy",
|
|
3825
3808
|
"optional": true,
|
|
@@ -3839,18 +3822,52 @@
|
|
|
3839
3822
|
"immutable": true,
|
|
3840
3823
|
"locationInModule": {
|
|
3841
3824
|
"filename": "src/dns-validated-certificate.ts",
|
|
3842
|
-
"line":
|
|
3825
|
+
"line": 108
|
|
3843
3826
|
},
|
|
3844
3827
|
"name": "transparencyLoggingEnabled",
|
|
3845
3828
|
"optional": true,
|
|
3846
3829
|
"type": {
|
|
3847
3830
|
"primitive": "boolean"
|
|
3848
3831
|
}
|
|
3832
|
+
}
|
|
3833
|
+
],
|
|
3834
|
+
"symbolId": "src/dns-validated-certificate:DnsValidatedCertificateProps"
|
|
3835
|
+
},
|
|
3836
|
+
"@trautonen/cdk-dns-validated-certificate.ValidationHostedZone": {
|
|
3837
|
+
"assembly": "@trautonen/cdk-dns-validated-certificate",
|
|
3838
|
+
"datatype": true,
|
|
3839
|
+
"docs": {
|
|
3840
|
+
"stability": "stable"
|
|
3841
|
+
},
|
|
3842
|
+
"fqn": "@trautonen/cdk-dns-validated-certificate.ValidationHostedZone",
|
|
3843
|
+
"kind": "interface",
|
|
3844
|
+
"locationInModule": {
|
|
3845
|
+
"filename": "src/dns-validated-certificate.ts",
|
|
3846
|
+
"line": 13
|
|
3847
|
+
},
|
|
3848
|
+
"name": "ValidationHostedZone",
|
|
3849
|
+
"properties": [
|
|
3850
|
+
{
|
|
3851
|
+
"abstract": true,
|
|
3852
|
+
"docs": {
|
|
3853
|
+
"remarks": "The zone name is matched to domain name to use the right\nhosted zone for validation.\n\nIf the hosted zone is not managed by the CDK application, it needs to be provided via\n``HostedZone.fromHostedZoneAttributes()``.",
|
|
3854
|
+
"stability": "stable",
|
|
3855
|
+
"summary": "Hosted zone to use for DNS validation."
|
|
3856
|
+
},
|
|
3857
|
+
"immutable": true,
|
|
3858
|
+
"locationInModule": {
|
|
3859
|
+
"filename": "src/dns-validated-certificate.ts",
|
|
3860
|
+
"line": 21
|
|
3861
|
+
},
|
|
3862
|
+
"name": "hostedZone",
|
|
3863
|
+
"type": {
|
|
3864
|
+
"fqn": "aws-cdk-lib.aws_route53.IHostedZone"
|
|
3865
|
+
}
|
|
3849
3866
|
},
|
|
3850
3867
|
{
|
|
3851
3868
|
"abstract": true,
|
|
3852
3869
|
"docs": {
|
|
3853
|
-
"default": "- No external id provided during assume",
|
|
3870
|
+
"default": "- No external id provided during assume.",
|
|
3854
3871
|
"remarks": "This should be used only when ``validationRole`` is given and the role expects an external id provided on assume.",
|
|
3855
3872
|
"stability": "stable",
|
|
3856
3873
|
"summary": "External id for ``validationRole`` role assume verification."
|
|
@@ -3858,7 +3875,7 @@
|
|
|
3858
3875
|
"immutable": true,
|
|
3859
3876
|
"locationInModule": {
|
|
3860
3877
|
"filename": "src/dns-validated-certificate.ts",
|
|
3861
|
-
"line":
|
|
3878
|
+
"line": 42
|
|
3862
3879
|
},
|
|
3863
3880
|
"name": "validationExternalId",
|
|
3864
3881
|
"optional": true,
|
|
@@ -3877,7 +3894,7 @@
|
|
|
3877
3894
|
"immutable": true,
|
|
3878
3895
|
"locationInModule": {
|
|
3879
3896
|
"filename": "src/dns-validated-certificate.ts",
|
|
3880
|
-
"line":
|
|
3897
|
+
"line": 33
|
|
3881
3898
|
},
|
|
3882
3899
|
"name": "validationRole",
|
|
3883
3900
|
"optional": true,
|
|
@@ -3886,9 +3903,9 @@
|
|
|
3886
3903
|
}
|
|
3887
3904
|
}
|
|
3888
3905
|
],
|
|
3889
|
-
"symbolId": "src/dns-validated-certificate:
|
|
3906
|
+
"symbolId": "src/dns-validated-certificate:ValidationHostedZone"
|
|
3890
3907
|
}
|
|
3891
3908
|
},
|
|
3892
|
-
"version": "0.0
|
|
3893
|
-
"fingerprint": "
|
|
3909
|
+
"version": "0.1.0",
|
|
3910
|
+
"fingerprint": "Bktg8A6Txh0+ENfA1cj20+yVxDXS61ZA4YjNTGEWmSk="
|
|
3894
3911
|
}
|
package/API.md
CHANGED
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
# AWS CDK DNS Validated Certificate
|
|
2
2
|
|
|
3
|
-
CDK does not have a built in construct to manage cross-region or cross-account DNS validated certificates. There's an
|
|
3
|
+
CDK does not have a built in construct to manage cross-region or cross-account DNS validated certificates. There's an
|
|
4
|
+
attempt to work around the issue with a cross region references option for stacks, but it has a lot of issues and still
|
|
5
|
+
does not solve the cross-account use case.
|
|
4
6
|
|
|
5
|
-
This construct solves these problems by managing the certificate as a custom resource and with direct API calls to ACM
|
|
6
|
-
|
|
7
|
-
Currently there's a limitation which does not allow using alternative names for the certificate as it would require mapping of different roles to different hosted zones. This API is currently being developed.
|
|
7
|
+
This construct solves these problems by managing the certificate as a custom resource and with direct API calls to ACM
|
|
8
|
+
and Route53. In the future it will be possible to support not only Route53, but other DNS services too.
|
|
8
9
|
|
|
9
10
|
## Usage for cross-region validation
|
|
10
11
|
|
|
@@ -39,6 +40,32 @@ const certificate = new DnsValidatedCertificate(this, 'CrossAccountCertificate',
|
|
|
39
40
|
})
|
|
40
41
|
```
|
|
41
42
|
|
|
43
|
+
## Usage for cross-account alternative names validation
|
|
44
|
+
|
|
45
|
+
```typescript
|
|
46
|
+
// example.com is validated on same account against managed hosted zone
|
|
47
|
+
// and secondary.com is validated against external hosted zone on other account
|
|
48
|
+
const hostedZoneForMain: route53.IHostedZone = ...
|
|
49
|
+
const hostedZoneForAlternative: route53.IHostedZone =
|
|
50
|
+
route53.HostedZone.fromHostedZoneAttributes(this, 'SecondaryHostedZone', {
|
|
51
|
+
hostedZoneId: 'Z532DGDEDFS123456789',
|
|
52
|
+
zoneName: 'secondary.com'
|
|
53
|
+
})
|
|
54
|
+
const certificate = new DnsValidatedCertificate(this, 'CrossAccountCertificate', {
|
|
55
|
+
domainName: 'example.com',
|
|
56
|
+
alternativeDomainNames: ['secondary.com'],
|
|
57
|
+
validationHostedZones: [{
|
|
58
|
+
hostedZone: hostedZoneForMain
|
|
59
|
+
},{
|
|
60
|
+
hostedZone: hostedZoneForAlternative,
|
|
61
|
+
validationRole: iam.Role.fromRoleArn(
|
|
62
|
+
this, 'SecondaryValidationRole', 'arn:aws:iam::123456789:role/ChangeDnsRecordsRole'
|
|
63
|
+
),
|
|
64
|
+
validationExternalId: 'domain-assume'
|
|
65
|
+
}]
|
|
66
|
+
})
|
|
67
|
+
```
|
|
68
|
+
|
|
42
69
|
# API Reference <a name="API Reference" id="api-reference"></a>
|
|
43
70
|
|
|
44
71
|
## Constructs <a name="Constructs" id="Constructs"></a>
|
|
@@ -59,32 +86,58 @@ Please note that this construct does not support alternative names yet as it wou
|
|
|
59
86
|
*Example*
|
|
60
87
|
|
|
61
88
|
```typescript
|
|
62
|
-
//
|
|
89
|
+
// ### Cross-region certificate validation
|
|
63
90
|
// hosted zone managed by the CDK application
|
|
64
91
|
const hostedZone: route53.IHostedZone = ...
|
|
65
92
|
// no separate validation role is needed
|
|
66
93
|
const certificate = new DnsValidatedCertificate(this, 'CrossRegionCertificate', {
|
|
67
|
-
hostedZone: hostedZone,
|
|
68
94
|
domainName: 'example.com', // must be compatible with the hosted zone
|
|
95
|
+
validationHostedZones: [{ // hosted zone used with the execution role's permissions
|
|
96
|
+
hostedZone: hostedZone
|
|
97
|
+
}],
|
|
69
98
|
certificateRegion: 'us-east-1' // used by for example CloudFront
|
|
70
99
|
})
|
|
71
|
-
//
|
|
100
|
+
// ### Cross-account certificate validation
|
|
72
101
|
// external hosted zone
|
|
73
102
|
const hostedZone: route53.IHostedZone =
|
|
74
103
|
route53.HostedZone.fromHostedZoneAttributes(this, 'HostedZone', {
|
|
75
104
|
hostedZoneId: 'Z532DGDEDFS123456789',
|
|
76
105
|
zoneName: 'example.com'
|
|
77
106
|
})
|
|
78
|
-
// validation role
|
|
107
|
+
// validation role in the same account as the hosted zone
|
|
79
108
|
const roleArn = 'arn:aws:iam::123456789:role/ChangeDnsRecordsRole'
|
|
80
109
|
const externalId = 'domain-assume'
|
|
81
110
|
const validationRole: iam.IRole =
|
|
82
111
|
iam.Role.fromRoleArn(this, 'ValidationRole', roleArn)
|
|
83
112
|
const certificate = new DnsValidatedCertificate(this, 'CrossAccountCertificate', {
|
|
84
|
-
hostedZone: hostedZone,
|
|
85
113
|
domainName: 'example.com',
|
|
86
|
-
|
|
87
|
-
|
|
114
|
+
validationHostedZones: [{
|
|
115
|
+
hostedZone: hostedZone,
|
|
116
|
+
validationRole: validationRole,
|
|
117
|
+
validationExternalId: externalId
|
|
118
|
+
}]
|
|
119
|
+
})
|
|
120
|
+
// ### Cross-account alternative name validation
|
|
121
|
+
// example.com is validated on same account against managed hosted zone
|
|
122
|
+
// and secondary.com is validated against external hosted zone on other account
|
|
123
|
+
const hostedZoneForMain: route53.IHostedZone = ...
|
|
124
|
+
const hostedZoneForAlternative: route53.IHostedZone =
|
|
125
|
+
route53.HostedZone.fromHostedZoneAttributes(this, 'SecondaryHostedZone', {
|
|
126
|
+
hostedZoneId: 'Z532DGDEDFS123456789',
|
|
127
|
+
zoneName: 'secondary.com'
|
|
128
|
+
})
|
|
129
|
+
const certificate = new DnsValidatedCertificate(this, 'CrossAccountCertificate', {
|
|
130
|
+
domainName: 'example.com',
|
|
131
|
+
alternativeDomainNames: ['secondary.com'],
|
|
132
|
+
validationHostedZones: [{
|
|
133
|
+
hostedZone: hostedZoneForMain
|
|
134
|
+
},{
|
|
135
|
+
hostedZone: hostedZoneForAlternative,
|
|
136
|
+
validationRole: iam.Role.fromRoleArn(
|
|
137
|
+
this, 'SecondaryValidationRole', 'arn:aws:iam::123456789:role/ChangeDnsRecordsRole'
|
|
138
|
+
),
|
|
139
|
+
validationExternalId: 'domain-assume'
|
|
140
|
+
}]
|
|
88
141
|
})@resource[object Object]@resource[object Object]
|
|
89
142
|
```
|
|
90
143
|
|
|
@@ -256,9 +309,6 @@ Check whether the given construct is a Resource.
|
|
|
256
309
|
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificate.property.stack">stack</a></code> | <code>aws-cdk-lib.Stack</code> | The stack in which this resource is defined. |
|
|
257
310
|
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificate.property.certificateArn">certificateArn</a></code> | <code>string</code> | The certificate's ARN. |
|
|
258
311
|
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificate.property.certificateRegion">certificateRegion</a></code> | <code>string</code> | The region where the certificate is deployed to. |
|
|
259
|
-
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificate.property.domainName">domainName</a></code> | <code>string</code> | The domain name included in the certificate. |
|
|
260
|
-
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificate.property.hostedZoneId">hostedZoneId</a></code> | <code>string</code> | The hosted zone identifier authoritative for the certificate. |
|
|
261
|
-
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificate.property.hostedZoneName">hostedZoneName</a></code> | <code>string</code> | The hosted zone name authoritative for the certificate. |
|
|
262
312
|
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificate.property.tags">tags</a></code> | <code>aws-cdk-lib.TagManager</code> | The tag manager to set, remove and format tags for the certificate. |
|
|
263
313
|
|
|
264
314
|
---
|
|
@@ -330,42 +380,6 @@ The region where the certificate is deployed to.
|
|
|
330
380
|
|
|
331
381
|
---
|
|
332
382
|
|
|
333
|
-
##### `domainName`<sup>Required</sup> <a name="domainName" id="@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificate.property.domainName"></a>
|
|
334
|
-
|
|
335
|
-
```typescript
|
|
336
|
-
public readonly domainName: string;
|
|
337
|
-
```
|
|
338
|
-
|
|
339
|
-
- *Type:* string
|
|
340
|
-
|
|
341
|
-
The domain name included in the certificate.
|
|
342
|
-
|
|
343
|
-
---
|
|
344
|
-
|
|
345
|
-
##### `hostedZoneId`<sup>Required</sup> <a name="hostedZoneId" id="@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificate.property.hostedZoneId"></a>
|
|
346
|
-
|
|
347
|
-
```typescript
|
|
348
|
-
public readonly hostedZoneId: string;
|
|
349
|
-
```
|
|
350
|
-
|
|
351
|
-
- *Type:* string
|
|
352
|
-
|
|
353
|
-
The hosted zone identifier authoritative for the certificate.
|
|
354
|
-
|
|
355
|
-
---
|
|
356
|
-
|
|
357
|
-
##### `hostedZoneName`<sup>Required</sup> <a name="hostedZoneName" id="@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificate.property.hostedZoneName"></a>
|
|
358
|
-
|
|
359
|
-
```typescript
|
|
360
|
-
public readonly hostedZoneName: string;
|
|
361
|
-
```
|
|
362
|
-
|
|
363
|
-
- *Type:* string
|
|
364
|
-
|
|
365
|
-
The hosted zone name authoritative for the certificate.
|
|
366
|
-
|
|
367
|
-
---
|
|
368
|
-
|
|
369
383
|
##### `tags`<sup>Required</sup> <a name="tags" id="@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificate.property.tags"></a>
|
|
370
384
|
|
|
371
385
|
```typescript
|
|
@@ -396,14 +410,13 @@ const dnsValidatedCertificateProps: DnsValidatedCertificateProps = { ... }
|
|
|
396
410
|
| **Name** | **Type** | **Description** |
|
|
397
411
|
| --- | --- | --- |
|
|
398
412
|
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.domainName">domainName</a></code> | <code>string</code> | Fully-qualified domain name to request a certificate for. |
|
|
399
|
-
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.
|
|
413
|
+
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.validationHostedZones">validationHostedZones</a></code> | <code><a href="#@trautonen/cdk-dns-validated-certificate.ValidationHostedZone">ValidationHostedZone</a>[]</code> | List of hosted zones to use for validation. |
|
|
414
|
+
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.alternativeDomainNames">alternativeDomainNames</a></code> | <code>string[]</code> | Fully-qualified alternative domain names to request a certificate for. |
|
|
400
415
|
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.certificateRegion">certificateRegion</a></code> | <code>string</code> | AWS region where the certificate is deployed. |
|
|
401
416
|
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.cleanupValidationRecords">cleanupValidationRecords</a></code> | <code>boolean</code> | Enable or disable cleaning of validation DNS records from the hosted zone. |
|
|
402
417
|
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.customResourceRole">customResourceRole</a></code> | <code>aws-cdk-lib.aws_iam.IRole</code> | The role that is used for the custom resource Lambda execution. |
|
|
403
418
|
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.removalPolicy">removalPolicy</a></code> | <code>aws-cdk-lib.RemovalPolicy</code> | Apply the given removal policy to this resource. |
|
|
404
419
|
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.transparencyLoggingEnabled">transparencyLoggingEnabled</a></code> | <code>boolean</code> | Enable or disable transparency logging for this certificate. |
|
|
405
|
-
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.validationExternalId">validationExternalId</a></code> | <code>string</code> | External id for ``validationRole`` role assume verification. |
|
|
406
|
-
| <code><a href="#@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.validationRole">validationRole</a></code> | <code>aws-cdk-lib.aws_iam.IRole</code> | The role that is assumed for DNS record changes for certificate validation. |
|
|
407
420
|
|
|
408
421
|
---
|
|
409
422
|
|
|
@@ -421,18 +434,31 @@ May contain wildcards, such as ``*.domain.com``.
|
|
|
421
434
|
|
|
422
435
|
---
|
|
423
436
|
|
|
424
|
-
##### `
|
|
437
|
+
##### `validationHostedZones`<sup>Required</sup> <a name="validationHostedZones" id="@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.validationHostedZones"></a>
|
|
425
438
|
|
|
426
439
|
```typescript
|
|
427
|
-
public readonly
|
|
440
|
+
public readonly validationHostedZones: ValidationHostedZone[];
|
|
428
441
|
```
|
|
429
442
|
|
|
430
|
-
- *Type:*
|
|
443
|
+
- *Type:* <a href="#@trautonen/cdk-dns-validated-certificate.ValidationHostedZone">ValidationHostedZone</a>[]
|
|
431
444
|
|
|
432
|
-
|
|
445
|
+
List of hosted zones to use for validation.
|
|
433
446
|
|
|
434
|
-
|
|
435
|
-
|
|
447
|
+
Hosted zones are mapped to domain names by the zone name.
|
|
448
|
+
|
|
449
|
+
---
|
|
450
|
+
|
|
451
|
+
##### `alternativeDomainNames`<sup>Optional</sup> <a name="alternativeDomainNames" id="@trautonen/cdk-dns-validated-certificate.DnsValidatedCertificateProps.property.alternativeDomainNames"></a>
|
|
452
|
+
|
|
453
|
+
```typescript
|
|
454
|
+
public readonly alternativeDomainNames: string[];
|
|
455
|
+
```
|
|
456
|
+
|
|
457
|
+
- *Type:* string[]
|
|
458
|
+
|
|
459
|
+
Fully-qualified alternative domain names to request a certificate for.
|
|
460
|
+
|
|
461
|
+
May contain wildcards, such as ``*.otherdomain.com``.
|
|
436
462
|
|
|
437
463
|
---
|
|
438
464
|
|
|
@@ -481,9 +507,9 @@ public readonly customResourceRole: IRole;
|
|
|
481
507
|
|
|
482
508
|
The role that is used for the custom resource Lambda execution.
|
|
483
509
|
|
|
484
|
-
The role is given permissions to request certificates from ACM. If
|
|
485
|
-
is also given permission to assume the ``validationRole``. Otherwise it is assumed that the hosted zone
|
|
486
|
-
account and the execution role is given permissions to change DNS records for the given ``domainName``.
|
|
510
|
+
The role is given permissions to request certificates from ACM. If there are any ``validationRole``s provided,
|
|
511
|
+
this role is also given permission to assume the ``validationRole``. Otherwise it is assumed that the hosted zone
|
|
512
|
+
is in same account and the execution role is given permissions to change DNS records for the given ``domainName``.
|
|
487
513
|
|
|
488
514
|
---
|
|
489
515
|
|
|
@@ -524,14 +550,52 @@ effect. If you change this property after creation, a new certificate will be re
|
|
|
524
550
|
|
|
525
551
|
---
|
|
526
552
|
|
|
527
|
-
|
|
553
|
+
### ValidationHostedZone <a name="ValidationHostedZone" id="@trautonen/cdk-dns-validated-certificate.ValidationHostedZone"></a>
|
|
554
|
+
|
|
555
|
+
#### Initializer <a name="Initializer" id="@trautonen/cdk-dns-validated-certificate.ValidationHostedZone.Initializer"></a>
|
|
556
|
+
|
|
557
|
+
```typescript
|
|
558
|
+
import { ValidationHostedZone } from '@trautonen/cdk-dns-validated-certificate'
|
|
559
|
+
|
|
560
|
+
const validationHostedZone: ValidationHostedZone = { ... }
|
|
561
|
+
```
|
|
562
|
+
|
|
563
|
+
#### Properties <a name="Properties" id="Properties"></a>
|
|
564
|
+
|
|
565
|
+
| **Name** | **Type** | **Description** |
|
|
566
|
+
| --- | --- | --- |
|
|
567
|
+
| <code><a href="#@trautonen/cdk-dns-validated-certificate.ValidationHostedZone.property.hostedZone">hostedZone</a></code> | <code>aws-cdk-lib.aws_route53.IHostedZone</code> | Hosted zone to use for DNS validation. |
|
|
568
|
+
| <code><a href="#@trautonen/cdk-dns-validated-certificate.ValidationHostedZone.property.validationExternalId">validationExternalId</a></code> | <code>string</code> | External id for ``validationRole`` role assume verification. |
|
|
569
|
+
| <code><a href="#@trautonen/cdk-dns-validated-certificate.ValidationHostedZone.property.validationRole">validationRole</a></code> | <code>aws-cdk-lib.aws_iam.IRole</code> | The role that is assumed for DNS record changes for certificate validation. |
|
|
570
|
+
|
|
571
|
+
---
|
|
572
|
+
|
|
573
|
+
##### `hostedZone`<sup>Required</sup> <a name="hostedZone" id="@trautonen/cdk-dns-validated-certificate.ValidationHostedZone.property.hostedZone"></a>
|
|
574
|
+
|
|
575
|
+
```typescript
|
|
576
|
+
public readonly hostedZone: IHostedZone;
|
|
577
|
+
```
|
|
578
|
+
|
|
579
|
+
- *Type:* aws-cdk-lib.aws_route53.IHostedZone
|
|
580
|
+
|
|
581
|
+
Hosted zone to use for DNS validation.
|
|
582
|
+
|
|
583
|
+
The zone name is matched to domain name to use the right
|
|
584
|
+
hosted zone for validation.
|
|
585
|
+
|
|
586
|
+
If the hosted zone is not managed by the CDK application, it needs to be provided via
|
|
587
|
+
``HostedZone.fromHostedZoneAttributes()``.
|
|
588
|
+
|
|
589
|
+
---
|
|
590
|
+
|
|
591
|
+
##### `validationExternalId`<sup>Optional</sup> <a name="validationExternalId" id="@trautonen/cdk-dns-validated-certificate.ValidationHostedZone.property.validationExternalId"></a>
|
|
528
592
|
|
|
529
593
|
```typescript
|
|
530
594
|
public readonly validationExternalId: string;
|
|
531
595
|
```
|
|
532
596
|
|
|
533
597
|
- *Type:* string
|
|
534
|
-
- *Default:* No external id provided during assume
|
|
598
|
+
- *Default:* No external id provided during assume.
|
|
535
599
|
|
|
536
600
|
External id for ``validationRole`` role assume verification.
|
|
537
601
|
|
|
@@ -539,7 +603,7 @@ This should be used only when ``validationRole`` is given and the role expects a
|
|
|
539
603
|
|
|
540
604
|
---
|
|
541
605
|
|
|
542
|
-
##### `validationRole`<sup>Optional</sup> <a name="validationRole" id="@trautonen/cdk-dns-validated-certificate.
|
|
606
|
+
##### `validationRole`<sup>Optional</sup> <a name="validationRole" id="@trautonen/cdk-dns-validated-certificate.ValidationHostedZone.property.validationRole"></a>
|
|
543
607
|
|
|
544
608
|
```typescript
|
|
545
609
|
public readonly validationRole: IRole;
|