npm - raindancers-cloudfront - Versions diffs - 0.0.0 → 0.0.2 - Mend

raindancers-cloudfront 0.0.0 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/lib/cloudfront/cloudfront-functions/tls-enforcer.js ADDED Viewed

@@ -0,0 +1,55 @@
+// tls-enforcer.js - CloudFront Function (viewer-request)
+// Enforces TLS 1.3 with strongest ciphers only
+// Requires: CloudFront-Viewer-TLS header in Origin Request Policy
+function handler(event) {
+  var request = event.request;
+  var headers = request.headers;
+  // Get TLS info from CloudFront-Viewer-TLS header
+  // Format: TLSv1.3:TLS_AES_128_GCM_SHA256:sessionResumed
+  var tlsInfo = headers['cloudfront-viewer-tls']
+    ? headers['cloudfront-viewer-tls'].value
+    : '';
+  // Parse TLS version and cipher
+  var parts = tlsInfo.split(':');
+  var tlsVersion = parts[0] || 'unknown';
+  var cipher = parts[1] || 'unknown';
+  // Check if using TLS 1.3
+  if (!tlsVersion.startsWith('TLSv1.3')) {
+    // Redirect to upgrade page with Request ID for incident tracking
+    var requestId = event.context.requestId;
+    return {
+      statusCode: 302,
+      statusDescription: 'Found',
+      headers: {
+        'location': { value: '/upgrade.html?ref=' + requestId },
+        'cache-control': { value: 'no-store' },
+      },
+    };
+  }
+  // Verify strong cipher (TLS 1.3 GCM only)
+  var allowedCiphers = [
+    'TLS_AES_128_GCM_SHA256',
+    'TLS_AES_256_GCM_SHA384'
+  ];
+  if (allowedCiphers.indexOf(cipher) === -1) {
+    // Redirect to upgrade page with Request ID for incident tracking
+    var requestId = event.context.requestId;
+    return {
+      statusCode: 302,
+      statusDescription: 'Found',
+      headers: {
+        'location': { value: '/upgrade.html?ref=' + requestId },
+        'cache-control': { value: 'no-store' },
+      },
+    };
+  }
+  // Allow request to proceed
+  return request;
+}

package/lib/cloudfront/cloudfront-functions/userinfo-endpoint.js ADDED Viewed

@@ -0,0 +1,208 @@
+// CloudFront Function: User Info Endpoint (viewer-request)
+// Purpose: Validate JWT and return user info JSON without exposing full JWT
+// Security: Validates JWT signature, returns only name and roles, calculates cache expiration
+import cf from 'cloudfront';
+var crypto = require('crypto');
+const kvsHandle = cf.kvs();
+function base64urlDecode(str) {
+    var base64 = str.replace(/-/g, '+').replace(/_/g, '/');
+    while (base64.length % 4) {
+        base64 += '=';
+    }
+    return atob(base64);
+}
+function constantTimeCompare(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    var result = 0;
+    for (var i = 0; i < a.length; i++) {
+        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return result === 0;
+}
+async function validateHmacSignature(token) {
+    var parts = token.split('.');
+    if (parts.length !== 3) {
+        return false;
+    }
+    var signingInput = parts[0] + '.' + parts[1];
+    var providedSignature = parts[2];
+    try {
+        var secret = await kvsHandle.get('jwt.secret');
+        if (!secret) {
+            return false;
+        }
+        var hmac = crypto.createHmac('sha256', secret);
+        hmac.update(signingInput);
+        var computedSignature = hmac.digest('base64url');
+        if (constantTimeCompare(computedSignature, providedSignature)) {
+            return true;
+        }
+        try {
+            var oldSecret = await kvsHandle.get('jwt.secret.old');
+            if (oldSecret) {
+                var oldHmac = crypto.createHmac('sha256', oldSecret);
+                oldHmac.update(signingInput);
+                var oldComputedSignature = oldHmac.digest('base64url');
+                if (constantTimeCompare(oldComputedSignature, oldComputedSignature)) {
+                    return true;
+                }
+            }
+        } catch (e) {
+            // Old secret doesn't exist
+        }
+        return false;
+    } catch (e) {
+        return false;
+    }
+}
+function extractUserInfo(token, nameFields) {
+    try {
+        var parts = token.split('.');
+        if (parts.length !== 3) {
+            return null;
+        }
+        var payload = JSON.parse(base64urlDecode(parts[1]));
+        // Extract name using ordered fallback list
+        var username = 'User';
+        for (var i = 0; i < nameFields.length; i++) {
+            if (payload[nameFields[i]]) {
+                username = payload[nameFields[i]];
+                break;
+            }
+        }
+        // Extract roles (default to empty array)
+        var roles = payload.roles || [];
+        // Extract expiration for cache control
+        var exp = payload.exp || 0;
+        return {
+            name: username,
+            roles: roles,
+            exp: exp
+        };
+    } catch (e) {
+        console.log('Failed to extract user info from JWT: ' + e);
+        return null;
+    }
+}
+async function handler(event) {
+    var request = event.request;
+    // Extract JWT from request cookies
+    var cookies = request.cookies;
+    if (!cookies['__Host-auth_session']) {
+        return {
+            statusCode: 401,
+            statusDescription: 'Unauthorized',
+            headers: {
+                'content-type': { value: 'application/json' },
+                'cache-control': { value: 'no-store' }
+            },
+            body: {
+                encoding: 'text',
+                data: JSON.stringify({ error: 'No session found' })
+            }
+        };
+    }
+    var token = cookies['__Host-auth_session'].value;
+    if (!token) {
+        return {
+            statusCode: 401,
+            statusDescription: 'Unauthorized',
+            headers: {
+                'content-type': { value: 'application/json' },
+                'cache-control': { value: 'no-store' }
+            },
+            body: {
+                encoding: 'text',
+                data: JSON.stringify({ error: 'Invalid session' })
+            }
+        };
+    }
+    // Validate JWT signature
+    var isValid = await validateHmacSignature(token);
+    if (!isValid) {
+        return {
+            statusCode: 401,
+            statusDescription: 'Unauthorized',
+            headers: {
+                'content-type': { value: 'application/json' },
+                'cache-control': { value: 'no-store' }
+            },
+            body: {
+                encoding: 'text',
+                data: JSON.stringify({ error: 'Invalid JWT signature' })
+            }
+        };
+    }
+    // NOTE: This array is automatically replaced by CDK with configured JWT claim fields
+    var nameFields = ['key1', 'key2', 'key3'];
+    // Extract user info from JWT
+    var userInfo = extractUserInfo(token, nameFields);
+    if (!userInfo) {
+        return {
+            statusCode: 500,
+            statusDescription: 'Internal Server Error',
+            headers: {
+                'content-type': { value: 'application/json' },
+                'cache-control': { value: 'no-store' }
+            },
+            body: {
+                encoding: 'text',
+                data: JSON.stringify({ error: 'Failed to parse JWT' })
+            }
+        };
+    }
+    // Calculate cache duration from JWT expiration
+    var now = Math.floor(Date.now() / 1000);
+    var maxAge = userInfo.exp - now;
+    // Ensure maxAge is positive and reasonable
+    if (maxAge <= 0) {
+        maxAge = 0;
+    } else if (maxAge > 3600) {
+        maxAge = 3600; // Cap at 1 hour for safety
+    }
+    // Return user info as JSON with dynamic cache control
+    return {
+        statusCode: 200,
+        statusDescription: 'OK',
+        headers: {
+            'content-type': { value: 'application/json' },
+            'cache-control': { value: 'private, max-age=' + maxAge }
+        },
+        body: {
+            encoding: 'text',
+            data: JSON.stringify({
+                name: userInfo.name,
+                roles: userInfo.roles
+            })
+        }
+    };
+}

package/lib/cloudfront/deployment/viteFrontendDeployment.d.ts CHANGED Viewed

@@ -5,6 +5,7 @@ export interface ViteFrontendDeploymentProps {
     readonly sourcePath: string;
     readonly destinationBucket: s3.IBucket;
     readonly distribution: cloudfront.IDistribution;
+    readonly distributionPaths?: string[];
 }
 export declare class ViteFrontendDeployment extends Construct {
     readonly deployment: s3deploy.BucketDeployment;

package/lib/cloudfront/deployment/viteFrontendDeployment.js CHANGED Viewed

@@ -55,9 +55,9 @@ class ViteFrontendDeployment extends constructs_1.Construct {
             destinationBucket: props.destinationBucket,
             destinationKeyPrefix: `${props.appName}/`,
             distribution: props.distribution,
-            distributionPaths: ['/*'],
+            distributionPaths: props.distributionPaths ?? [`/${props.appName}/*`],
         });
     }
 }
 exports.ViteFrontendDeployment = ViteFrontendDeployment;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidml0ZUZyb250ZW5kRGVwbG95bWVudC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jbG91ZGZyb250L2RlcGxveW1lbnQvdml0ZUZyb250ZW5kRGVwbG95bWVudC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSxrREFBb0M7QUFDcEMsNkNBQXdHO0FBQ3hHLDJDQUF1QztBQVN2QyxNQUFhLHNCQUF1QixTQUFRLHNCQUFTO0lBR25ELFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsS0FBa0M7UUFDMUUsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVqQixJQUFJLENBQUMsVUFBVSxHQUFHLElBQUksK0JBQVEsQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLEVBQUUsWUFBWSxFQUFFO1lBQ2xFLE9BQU8sRUFBRTtnQkFDUCwrQkFBUSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLFVBQVUsRUFBRTtvQkFDdEMsUUFBUSxFQUFFO3dCQUNSLEtBQUssRUFBRSxJQUFJLENBQUMsV0FBVyxDQUFDLFlBQVksQ0FBQyxnQkFBZ0IsQ0FBQzt3QkFDdEQsT0FBTyxFQUFFOzRCQUNQLElBQUksRUFBRSxJQUFJOzRCQUNWLHNFQUFzRTt5QkFDdkU7cUJBQ0Y7aUJBQ0YsQ0FBQzthQUNIO1lBQ0QsaUJBQWlCLEVBQUUsS0FBSyxDQUFDLGlCQUFpQjtZQUMxQyxvQkFBb0IsRUFBRSxHQUFHLEtBQUssQ0FBQyxPQUFPLEdBQUc7WUFDekMsWUFBWSxFQUFFLEtBQUssQ0FBQyxZQUFZO1lBQ2hDLGlCQUFpQixFQUFFLENBQUMsSUFBSSxDQUFDO1NBQzFCLENBQUMsQ0FBQztJQUNMLENBQUM7Q0FDRjtBQXhCRCx3REF3QkMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgKiBhcyBjb3JlIGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCB7IGF3c19zMyBhcyBzMywgYXdzX3MzX2RlcGxveW1lbnQgYXMgczNkZXBsb3ksIGF3c19jbG91ZGZyb250IGFzIGNsb3VkZnJvbnQgfSBmcm9tICdhd3MtY2RrLWxpYic7XG5pbXBvcnQgeyBDb25zdHJ1Y3QgfSBmcm9tICdjb25zdHJ1Y3RzJztcblxuZXhwb3J0IGludGVyZmFjZSBWaXRlRnJvbnRlbmREZXBsb3ltZW50UHJvcHMge1xuICByZWFkb25seSBhcHBOYW1lOiBzdHJpbmc7XG4gIHJlYWRvbmx5IHNvdXJjZVBhdGg6IHN0cmluZztcbiAgcmVhZG9ubHkgZGVzdGluYXRpb25CdWNrZXQ6IHMzLklCdWNrZXQ7XG4gIHJlYWRvbmx5IGRpc3RyaWJ1dGlvbjogY2xvdWRmcm9udC5JRGlzdHJpYnV0aW9uO1xufVxuXG5leHBvcnQgY2xhc3MgVml0ZUZyb250ZW5kRGVwbG95bWVudCBleHRlbmRzIENvbnN0cnVjdCB7XG4gIHB1YmxpYyByZWFkb25seSBkZXBsb3ltZW50OiBzM2RlcGxveS5CdWNrZXREZXBsb3ltZW50O1xuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBDb25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzOiBWaXRlRnJvbnRlbmREZXBsb3ltZW50UHJvcHMpIHtcbiAgICBzdXBlcihzY29wZSwgaWQpO1xuXG4gICAgdGhpcy5kZXBsb3ltZW50ID0gbmV3IHMzZGVwbG95LkJ1Y2tldERlcGxveW1lbnQodGhpcywgJ0RlcGxveW1lbnQnLCB7XG4gICAgICBzb3VyY2VzOiBbXG4gICAgICAgIHMzZGVwbG95LlNvdXJjZS5hc3NldChwcm9wcy5zb3VyY2VQYXRoLCB7XG4gICAgICAgICAgYnVuZGxpbmc6IHtcbiAgICAgICAgICAgIGltYWdlOiBjb3JlLkRvY2tlckltYWdlLmZyb21SZWdpc3RyeSgnbm9kZToyMC1hbHBpbmUnKSxcbiAgICAgICAgICAgIGNvbW1hbmQ6IFtcbiAgICAgICAgICAgICAgJ3NoJywgJy1jJyxcbiAgICAgICAgICAgICAgJ25wbSBjaSAtLWluY2x1ZGU9ZGV2ICYmIG5wbSBydW4gYnVpbGQgJiYgY3AgLXIgZGlzdC8uIC9hc3NldC1vdXRwdXQvJyxcbiAgICAgICAgICAgIF0sXG4gICAgICAgICAgfSxcbiAgICAgICAgfSksXG4gICAgICBdLFxuICAgICAgZGVzdGluYXRpb25CdWNrZXQ6IHByb3BzLmRlc3RpbmF0aW9uQnVja2V0LFxuICAgICAgZGVzdGluYXRpb25LZXlQcmVmaXg6IGAke3Byb3BzLmFwcE5hbWV9L2AsXG4gICAgICBkaXN0cmlidXRpb246IHByb3BzLmRpc3RyaWJ1dGlvbixcbiAgICAgIGRpc3RyaWJ1dGlvblBhdGhzOiBbJy8qJ10sXG4gICAgfSk7XG4gIH1cbn1cbiJdfQ==
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidml0ZUZyb250ZW5kRGVwbG95bWVudC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jbG91ZGZyb250L2RlcGxveW1lbnQvdml0ZUZyb250ZW5kRGVwbG95bWVudC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSxrREFBb0M7QUFDcEMsNkNBQXdHO0FBQ3hHLDJDQUF1QztBQVV2QyxNQUFhLHNCQUF1QixTQUFRLHNCQUFTO0lBR25ELFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsS0FBa0M7UUFDMUUsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVqQixJQUFJLENBQUMsVUFBVSxHQUFHLElBQUksK0JBQVEsQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLEVBQUUsWUFBWSxFQUFFO1lBQ2xFLE9BQU8sRUFBRTtnQkFDUCwrQkFBUSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLFVBQVUsRUFBRTtvQkFDdEMsUUFBUSxFQUFFO3dCQUNSLEtBQUssRUFBRSxJQUFJLENBQUMsV0FBVyxDQUFDLFlBQVksQ0FBQyxnQkFBZ0IsQ0FBQzt3QkFDdEQsT0FBTyxFQUFFOzRCQUNQLElBQUksRUFBRSxJQUFJOzRCQUNWLHNFQUFzRTt5QkFDdkU7cUJBQ0Y7aUJBQ0YsQ0FBQzthQUNIO1lBQ0QsaUJBQWlCLEVBQUUsS0FBSyxDQUFDLGlCQUFpQjtZQUMxQyxvQkFBb0IsRUFBRSxHQUFHLEtBQUssQ0FBQyxPQUFPLEdBQUc7WUFDekMsWUFBWSxFQUFFLEtBQUssQ0FBQyxZQUFZO1lBQ2hDLGlCQUFpQixFQUFFLEtBQUssQ0FBQyxpQkFBaUIsSUFBSSxDQUFDLElBQUksS0FBSyxDQUFDLE9BQU8sSUFBSSxDQUFDO1NBQ3RFLENBQUMsQ0FBQztJQUNMLENBQUM7Q0FDRjtBQXhCRCx3REF3QkMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgKiBhcyBjb3JlIGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCB7IGF3c19zMyBhcyBzMywgYXdzX3MzX2RlcGxveW1lbnQgYXMgczNkZXBsb3ksIGF3c19jbG91ZGZyb250IGFzIGNsb3VkZnJvbnQgfSBmcm9tICdhd3MtY2RrLWxpYic7XG5pbXBvcnQgeyBDb25zdHJ1Y3QgfSBmcm9tICdjb25zdHJ1Y3RzJztcblxuZXhwb3J0IGludGVyZmFjZSBWaXRlRnJvbnRlbmREZXBsb3ltZW50UHJvcHMge1xuICByZWFkb25seSBhcHBOYW1lOiBzdHJpbmc7XG4gIHJlYWRvbmx5IHNvdXJjZVBhdGg6IHN0cmluZztcbiAgcmVhZG9ubHkgZGVzdGluYXRpb25CdWNrZXQ6IHMzLklCdWNrZXQ7XG4gIHJlYWRvbmx5IGRpc3RyaWJ1dGlvbjogY2xvdWRmcm9udC5JRGlzdHJpYnV0aW9uO1xuICByZWFkb25seSBkaXN0cmlidXRpb25QYXRocz86IHN0cmluZ1tdO1xufVxuXG5leHBvcnQgY2xhc3MgVml0ZUZyb250ZW5kRGVwbG95bWVudCBleHRlbmRzIENvbnN0cnVjdCB7XG4gIHB1YmxpYyByZWFkb25seSBkZXBsb3ltZW50OiBzM2RlcGxveS5CdWNrZXREZXBsb3ltZW50O1xuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBDb25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzOiBWaXRlRnJvbnRlbmREZXBsb3ltZW50UHJvcHMpIHtcbiAgICBzdXBlcihzY29wZSwgaWQpO1xuXG4gICAgdGhpcy5kZXBsb3ltZW50ID0gbmV3IHMzZGVwbG95LkJ1Y2tldERlcGxveW1lbnQodGhpcywgJ0RlcGxveW1lbnQnLCB7XG4gICAgICBzb3VyY2VzOiBbXG4gICAgICAgIHMzZGVwbG95LlNvdXJjZS5hc3NldChwcm9wcy5zb3VyY2VQYXRoLCB7XG4gICAgICAgICAgYnVuZGxpbmc6IHtcbiAgICAgICAgICAgIGltYWdlOiBjb3JlLkRvY2tlckltYWdlLmZyb21SZWdpc3RyeSgnbm9kZToyMC1hbHBpbmUnKSxcbiAgICAgICAgICAgIGNvbW1hbmQ6IFtcbiAgICAgICAgICAgICAgJ3NoJywgJy1jJyxcbiAgICAgICAgICAgICAgJ25wbSBjaSAtLWluY2x1ZGU9ZGV2ICYmIG5wbSBydW4gYnVpbGQgJiYgY3AgLXIgZGlzdC8uIC9hc3NldC1vdXRwdXQvJyxcbiAgICAgICAgICAgIF0sXG4gICAgICAgICAgfSxcbiAgICAgICAgfSksXG4gICAgICBdLFxuICAgICAgZGVzdGluYXRpb25CdWNrZXQ6IHByb3BzLmRlc3RpbmF0aW9uQnVja2V0LFxuICAgICAgZGVzdGluYXRpb25LZXlQcmVmaXg6IGAke3Byb3BzLmFwcE5hbWV9L2AsXG4gICAgICBkaXN0cmlidXRpb246IHByb3BzLmRpc3RyaWJ1dGlvbixcbiAgICAgIGRpc3RyaWJ1dGlvblBhdGhzOiBwcm9wcy5kaXN0cmlidXRpb25QYXRocyA/PyBbYC8ke3Byb3BzLmFwcE5hbWV9LypgXSxcbiAgICB9KTtcbiAgfVxufVxuIl19

package/lib/cloudfront/lambda/certificate/index.py ADDED Viewed

@@ -0,0 +1,219 @@
+import json
+import boto3
+import time
+from typing import Any, Dict
+acm = boto3.client('acm', region_name='us-east-1')
+route53 = boto3.client('route53')
+def handler(event: Dict[str, Any], context: Any) -> Dict[str, Any]:
+    """
+    Custom resource handler for creating ACM certificates in us-east-1.
+    """
+    print(f"Event: {json.dumps(event)}")
+    try:
+        request_type = event['RequestType']
+        props = event['ResourceProperties']
+        domain_name = props['DomainName']
+        sans = props.get('SubjectAlternativeNames', [])
+        hosted_zone_id = props['HostedZoneId']
+        print(f"Processing {request_type} for domain: {domain_name}")
+        print(f"Hosted Zone ID: {hosted_zone_id}")
+        if request_type == 'Create':
+            return create_certificate(domain_name, sans, hosted_zone_id)
+        elif request_type == 'Update':
+            # For updates, delete old and create new
+            old_props = event['OldResourceProperties']
+            old_cert_arn = event['PhysicalResourceId']
+            # Create new certificate first
+            result = create_certificate(domain_name, sans, hosted_zone_id)
+            # Delete old certificate (best effort)
+            try:
+                acm.delete_certificate(CertificateArn=old_cert_arn)
+            except Exception as e:
+                print(f"Failed to delete old certificate: {e}")
+            return result
+        elif request_type == 'Delete':
+            cert_arn = event['PhysicalResourceId']
+            return delete_certificate(cert_arn, hosted_zone_id)
+        return {
+            'PhysicalResourceId': event.get('PhysicalResourceId', 'unknown'),
+            'Data': {}
+        }
+    except Exception as e:
+        print(f"ERROR: {str(e)}")
+        import traceback
+        traceback.print_exc()
+        raise
+def create_certificate(domain_name: str, sans: list, hosted_zone_id: str) -> Dict[str, Any]:
+    """Create and validate an ACM certificate."""
+    # Request certificate
+    request_params = {
+        'DomainName': domain_name,
+        'ValidationMethod': 'DNS',
+    }
+    if sans:
+        request_params['SubjectAlternativeNames'] = sans
+    response = acm.request_certificate(**request_params)
+    cert_arn = response['CertificateArn']
+    print(f"Certificate requested: {cert_arn}")
+    # Wait for validation records to be available
+    validation_records = wait_for_validation_records(cert_arn)
+    # Create DNS validation records
+    create_validation_records(validation_records, hosted_zone_id)
+    # Wait for certificate to be issued
+    wait_for_certificate_validation(cert_arn)
+    return {
+        'PhysicalResourceId': cert_arn,
+        'Data': {
+            'CertificateArn': cert_arn
+        }
+    }
+def delete_certificate(cert_arn: str, hosted_zone_id: str) -> Dict[str, Any]:
+    """Delete certificate and cleanup validation records."""
+    try:
+        # Get validation records before deleting
+        cert = acm.describe_certificate(CertificateArn=cert_arn)
+        validation_records = cert['Certificate'].get('DomainValidationOptions', [])
+        # Delete validation records
+        delete_validation_records(validation_records, hosted_zone_id)
+        # Delete certificate
+        acm.delete_certificate(CertificateArn=cert_arn)
+        print(f"Certificate deleted: {cert_arn}")
+    except acm.exceptions.ResourceNotFoundException:
+        print(f"Certificate not found: {cert_arn}")
+    except Exception as e:
+        print(f"Error deleting certificate: {e}")
+    return {
+        'PhysicalResourceId': cert_arn,
+        'Data': {}
+    }
+def wait_for_validation_records(cert_arn: str, max_attempts: int = 60) -> list:
+    """Wait for validation records to be available."""
+    for attempt in range(max_attempts):
+        cert = acm.describe_certificate(CertificateArn=cert_arn)
+        validation_options = cert['Certificate'].get('DomainValidationOptions', [])
+        # Check if all domains have validation records
+        all_ready = all(
+            'ResourceRecord' in option
+            for option in validation_options
+        )
+        if all_ready:
+            return validation_options
+        time.sleep(5)
+    raise Exception("Timeout waiting for validation records")
+def create_validation_records(validation_options: list, hosted_zone_id: str) -> None:
+    """Create DNS validation records in Route53."""
+    changes = []
+    for option in validation_options:
+        if 'ResourceRecord' in option:
+            record = option['ResourceRecord']
+            print(f"Creating validation record: {record['Name']} -> {record['Value']}")
+            changes.append({
+                'Action': 'UPSERT',
+                'ResourceRecordSet': {
+                    'Name': record['Name'],
+                    'Type': record['Type'],
+                    'TTL': 300,
+                    'ResourceRecords': [{'Value': record['Value']}]
+                }
+            })
+    if changes:
+        print(f"Applying {len(changes)} DNS changes to hosted zone {hosted_zone_id}")
+        response = route53.change_resource_record_sets(
+            HostedZoneId=hosted_zone_id,
+            ChangeBatch={'Changes': changes}
+        )
+        # Wait for change to propagate
+        change_id = response['ChangeInfo']['Id']
+        print(f"Waiting for Route53 change {change_id} to complete")
+        wait_for_route53_change(change_id)
+        print(f"Route53 change completed")
+    else:
+        print("No validation records to create")
+def delete_validation_records(validation_options: list, hosted_zone_id: str) -> None:
+    """Delete DNS validation records from Route53."""
+    changes = []
+    for option in validation_options:
+        if 'ResourceRecord' in option:
+            record = option['ResourceRecord']
+            changes.append({
+                'Action': 'DELETE',
+                'ResourceRecordSet': {
+                    'Name': record['Name'],
+                    'Type': record['Type'],
+                    'TTL': 300,
+                    'ResourceRecords': [{'Value': record['Value']}]
+                }
+            })
+    if changes:
+        try:
+            route53.change_resource_record_sets(
+                HostedZoneId=hosted_zone_id,
+                ChangeBatch={'Changes': changes}
+            )
+        except Exception as e:
+            print(f"Error deleting validation records: {e}")
+def wait_for_route53_change(change_id: str, max_attempts: int = 60) -> None:
+    """Wait for Route53 change to complete."""
+    for attempt in range(max_attempts):
+        response = route53.get_change(Id=change_id)
+        if response['ChangeInfo']['Status'] == 'INSYNC':
+            return
+        time.sleep(5)
+    raise Exception("Timeout waiting for Route53 change")
+def wait_for_certificate_validation(cert_arn: str, max_attempts: int = 120) -> None:
+    """Wait for certificate to be validated and issued."""
+    for attempt in range(max_attempts):
+        cert = acm.describe_certificate(CertificateArn=cert_arn)
+        status = cert['Certificate']['Status']
+        if status == 'ISSUED':
+            print(f"Certificate issued: {cert_arn}")
+            return
+        elif status == 'FAILED':
+            raise Exception(f"Certificate validation failed: {cert_arn}")
+        time.sleep(10)
+    raise Exception("Timeout waiting for certificate validation")