diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-key-algorithm.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-key-algorithm.assets.json new file mode 100644 index 0000000000000..92d8622182e68 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-key-algorithm.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "4f462ad0293d228903983d510fed7abebda7d278b85388757533f6e38ba14480": { + "source": { + "path": "integ-certificate-key-algorithm.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "4f462ad0293d228903983d510fed7abebda7d278b85388757533f6e38ba14480.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-key-algorithm.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-key-algorithm.template.json new file mode 100644 index 0000000000000..d35351c093f6f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ-certificate-key-algorithm.template.json @@ -0,0 +1,98 @@ +{ + "Resources": { + "CertificateRsa2048A1EE6743": { + "Type": "AWS::CertificateManager::Certificate", + "Properties": { + "DomainName": "*.example.com", + "DomainValidationOptions": [ + { + "DomainName": "*.example.com", + "HostedZoneId": "Z23ABC4XYZL05B" + } + ], + "KeyAlgorithm": "RSA_2048", + "Tags": [ + { + "Key": "Name", + "Value": "This is a test name RSA2048" + } + ], + "ValidationMethod": "DNS" + } + }, + "CertificateEc2562D0E5C7E": { + "Type": "AWS::CertificateManager::Certificate", + "Properties": { + "DomainName": "*.example.com", + "DomainValidationOptions": [ + { + "DomainName": "*.example.com", + "HostedZoneId": "Z23ABC4XYZL05B" + } + ], + "KeyAlgorithm": "EC_prime256v1", + "Tags": [ + { + "Key": "Name", + "Value": "This is a test name EC256" + } + ], + "ValidationMethod": "DNS" + } + }, + "CertificateEc384CA103C09": { + "Type": "AWS::CertificateManager::Certificate", + "Properties": { + "DomainName": "*.example.com", + "DomainValidationOptions": [ + { + "DomainName": "*.example.com", + "HostedZoneId": "Z23ABC4XYZL05B" + } + ], + "KeyAlgorithm": "EC_secp384r1", + "Tags": [ + { + "Key": "Name", + "Value": "This is a test name EC384" + } + ], + "ValidationMethod": "DNS" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ.json new file mode 100644 index 0000000000000..59cfb51ac1fa8 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integ.json @@ -0,0 +1,14 @@ +{ + "enableLookups": true, + "version": "36.0.0", + "testCases": { + "integ-test/DefaultTest": { + "stacks": [ + "integ-certificate-key-algorithm" + ], + "diffAssets": true, + "assertionStack": "integ-test/DefaultTest/DeployAssert", + "assertionStackName": "integtestDefaultTestDeployAssert24D5C536" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json new file mode 100644 index 0000000000000..3555eb95abb24 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "integtestDefaultTestDeployAssert24D5C536.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/integtestDefaultTestDeployAssert24D5C536.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/manifest.json new file mode 100644 index 0000000000000..f21894ac567e6 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/manifest.json @@ -0,0 +1,125 @@ +{ + "version": "36.0.0", + "artifacts": { + "integ-certificate-key-algorithm.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integ-certificate-key-algorithm.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integ-certificate-key-algorithm": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integ-certificate-key-algorithm.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/4f462ad0293d228903983d510fed7abebda7d278b85388757533f6e38ba14480.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integ-certificate-key-algorithm.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integ-certificate-key-algorithm.assets" + ], + "metadata": { + "/integ-certificate-key-algorithm/CertificateRsa2048/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CertificateRsa2048A1EE6743" + } + ], + "/integ-certificate-key-algorithm/CertificateEc256/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CertificateEc2562D0E5C7E" + } + ], + "/integ-certificate-key-algorithm/CertificateEc384/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CertificateEc384CA103C09" + } + ], + "/integ-certificate-key-algorithm/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-certificate-key-algorithm/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-certificate-key-algorithm" + }, + "integtestDefaultTestDeployAssert24D5C536.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integtestDefaultTestDeployAssert24D5C536.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integtestDefaultTestDeployAssert24D5C536": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integtestDefaultTestDeployAssert24D5C536.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integtestDefaultTestDeployAssert24D5C536.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integtestDefaultTestDeployAssert24D5C536.assets" + ], + "metadata": { + "/integ-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/tree.json new file mode 100644 index 0000000000000..8269bc4c3388f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.js.snapshot/tree.json @@ -0,0 +1,223 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "integ-certificate-key-algorithm": { + "id": "integ-certificate-key-algorithm", + "path": "integ-certificate-key-algorithm", + "children": { + "HostedZone": { + "id": "HostedZone", + "path": "integ-certificate-key-algorithm/HostedZone", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "CertificateRsa2048": { + "id": "CertificateRsa2048", + "path": "integ-certificate-key-algorithm/CertificateRsa2048", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-certificate-key-algorithm/CertificateRsa2048/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::CertificateManager::Certificate", + "aws:cdk:cloudformation:props": { + "domainName": "*.example.com", + "domainValidationOptions": [ + { + "domainName": "*.example.com", + "hostedZoneId": "Z23ABC4XYZL05B" + } + ], + "keyAlgorithm": "RSA_2048", + "tags": [ + { + "key": "Name", + "value": "This is a test name RSA2048" + } + ], + "validationMethod": "DNS" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_certificatemanager.CfnCertificate", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_certificatemanager.Certificate", + "version": "0.0.0" + } + }, + "CertificateEc256": { + "id": "CertificateEc256", + "path": "integ-certificate-key-algorithm/CertificateEc256", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-certificate-key-algorithm/CertificateEc256/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::CertificateManager::Certificate", + "aws:cdk:cloudformation:props": { + "domainName": "*.example.com", + "domainValidationOptions": [ + { + "domainName": "*.example.com", + "hostedZoneId": "Z23ABC4XYZL05B" + } + ], + "keyAlgorithm": "EC_prime256v1", + "tags": [ + { + "key": "Name", + "value": "This is a test name EC256" + } + ], + "validationMethod": "DNS" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_certificatemanager.CfnCertificate", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_certificatemanager.Certificate", + "version": "0.0.0" + } + }, + "CertificateEc384": { + "id": "CertificateEc384", + "path": "integ-certificate-key-algorithm/CertificateEc384", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-certificate-key-algorithm/CertificateEc384/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::CertificateManager::Certificate", + "aws:cdk:cloudformation:props": { + "domainName": "*.example.com", + "domainValidationOptions": [ + { + "domainName": "*.example.com", + "hostedZoneId": "Z23ABC4XYZL05B" + } + ], + "keyAlgorithm": "EC_secp384r1", + "tags": [ + { + "key": "Name", + "value": "This is a test name EC384" + } + ], + "validationMethod": "DNS" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_certificatemanager.CfnCertificate", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_certificatemanager.Certificate", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-certificate-key-algorithm/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-certificate-key-algorithm/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "integ-test": { + "id": "integ-test", + "path": "integ-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "integ-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "integ-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "integ-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts new file mode 100644 index 0000000000000..ad6198f884ab1 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.certificate-key-algorithm.ts @@ -0,0 +1,50 @@ +import { PublicHostedZone } from 'aws-cdk-lib/aws-route53'; +import { App, Stack } from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import { Certificate, CertificateValidation, KeyAlgorithm } from 'aws-cdk-lib/aws-certificatemanager'; + +/** + * In order to test this you need to have a valid public hosted zone that you can use + * to request certificates for. + * +*/ +const hostedZoneId = process.env.CDK_INTEG_HOSTED_ZONE_ID ?? process.env.HOSTED_ZONE_ID; +if (!hostedZoneId) throw new Error('For this test you must provide your own HostedZoneId as an env var "HOSTED_ZONE_ID". See framework-integ/README.md for details.'); +const hostedZoneName = process.env.CDK_INTEG_HOSTED_ZONE_NAME ?? process.env.HOSTED_ZONE_NAME; +if (!hostedZoneName) throw new Error('For this test you must provide your own HostedZoneName as an env var "HOSTED_ZONE_NAME". See framework-integ/README.md for details.'); +const domainName = process.env.CDK_INTEG_DOMAIN_NAME ?? process.env.DOMAIN_NAME; +if (!domainName) throw new Error('For this test you must provide your own DomainName as an env var "DOMAIN_NAME". See framework-integ/README.md for details.'); + +const app = new App(); +const stack = new Stack(app, 'integ-certificate-key-algorithm'); +const hostedZone = PublicHostedZone.fromHostedZoneAttributes(stack, 'HostedZone', { + hostedZoneId, + zoneName: hostedZoneName, +}); + +new Certificate(stack, 'CertificateRsa2048', { + domainName, + certificateName: 'This is a test name RSA2048', + validation: CertificateValidation.fromDns(hostedZone), + keyAlgorithm: KeyAlgorithm.RSA_2048, +}); + +new Certificate(stack, 'CertificateEc256', { + domainName, + certificateName: 'This is a test name EC256', + validation: CertificateValidation.fromDns(hostedZone), + keyAlgorithm: KeyAlgorithm.EC_PRIME256V1, +}); + +new Certificate(stack, 'CertificateEc384', { + domainName, + certificateName: 'This is a test name EC384', + validation: CertificateValidation.fromDns(hostedZone), + keyAlgorithm: KeyAlgorithm.EC_SECP384R1, +}); + +new IntegTest(app, 'integ-test', { + testCases: [stack], + diffAssets: true, + enableLookups: true, +}); diff --git a/packages/aws-cdk-lib/aws-certificatemanager/README.md b/packages/aws-cdk-lib/aws-certificatemanager/README.md index 5c20e8fae88dd..6caf19630d461 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/README.md +++ b/packages/aws-cdk-lib/aws-certificatemanager/README.md @@ -156,6 +156,24 @@ new acm.Certificate(this, 'Certificate', { }); ``` +## Key Algorithms + +To specify the algorithm of the public and private key pair that your certificate uses to encrypt data use the `keyAlgorithm` property. + +Algorithms supported for an ACM certificate request include: + * `RSA_2048` + * `EC_prime256v1` + * `EC_secp384r1` + +```ts +new acm.Certificate(this, 'Certificate', { + domainName: 'test.example.com', + keyAlgorithm: acm.KeyAlgorithm.EC_PRIME256V1, +}); +``` + +> Visit [Key algorithms](https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms.title) for more details. + ## Importing If you want to import an existing certificate, you can do so from its ARN: diff --git a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts index 37b5eb55b3511..ead0b18c3df2d 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts @@ -100,7 +100,41 @@ export interface CertificateProps { * * @default the full, absolute path of this construct */ - readonly certificateName?: string + readonly certificateName?: string; + + /** + * The algorithm of the public and private key pair that the certificate uses to encrypt data. + * + * RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature + * Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater + * computing efficiency. However, ECDSA is not supported by all network clients. Some AWS + * services may require RSA keys, or only support ECDSA keys of a particular size, while others + * allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check + * the requirements for the AWS service where you plan to deploy your certificate. + * + * @see https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms.title + * + * @default - `RSA_2048` + */ + readonly keyAlgorithm?: KeyAlgorithm; +} + +/** + * Algorithms that AWS Certificate Manager supports for certificate requests. + */ +export enum KeyAlgorithm { + /** + * An RSA 2048 bit key. + */ + RSA_2048 = 'RSA_2048', + /** + * An ECDSA 256 bit key. + */ + EC_PRIME256V1 = 'EC_prime256v1', + /** + * An ECSDA 284 bit key. + */ + EC_SECP384R1 = 'EC_secp384r1', } /** @@ -259,6 +293,7 @@ export class Certificate extends CertificateBase implements ICertificate { domainValidationOptions: renderDomainValidation(validation, allDomainNames), validationMethod: validation.method, certificateTransparencyLoggingPreference, + keyAlgorithm: props.keyAlgorithm, }); Tags.of(cert).add(NAME_TAG, props.certificateName || this.node.path.slice(0, 255)); diff --git a/packages/aws-cdk-lib/aws-certificatemanager/test/certificate.test.ts b/packages/aws-cdk-lib/aws-certificatemanager/test/certificate.test.ts index 6e383f30bb418..3109867b3f9e7 100644 --- a/packages/aws-cdk-lib/aws-certificatemanager/test/certificate.test.ts +++ b/packages/aws-cdk-lib/aws-certificatemanager/test/certificate.test.ts @@ -1,7 +1,7 @@ import { Template, Match } from '../../assertions'; import * as route53 from '../../aws-route53'; import { Aws, Duration, Lazy, Stack } from '../../core'; -import { Certificate, CertificateValidation } from '../lib'; +import { Certificate, CertificateValidation, KeyAlgorithm } from '../lib'; test('apex domain selection by default', () => { const stack = new Stack(); @@ -434,6 +434,47 @@ describe('Certificate Name setting', () => { }); }); +describe('Key Algorithm setting', () => { + test('the RSA 2048 algorithm', () => { + const stack = new Stack(); + + new Certificate(stack, 'Certficate', { + domainName: 'test.example.com', + keyAlgorithm: KeyAlgorithm.RSA_2048, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', { + KeyAlgorithm: 'RSA_2048', + }); + }); + + test('the ECDSA 256 bit algorithm', () => { + const stack = new Stack(); + + new Certificate(stack, 'Certficate', { + domainName: 'test.example.com', + keyAlgorithm: KeyAlgorithm.EC_PRIME256V1, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', { + KeyAlgorithm: 'EC_prime256v1', + }); + }); + + test('the ECDSA 384 bit algorithm', () => { + const stack = new Stack(); + + new Certificate(stack, 'Certficate', { + domainName: 'test.example.com', + keyAlgorithm: KeyAlgorithm.EC_SECP384R1, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', { + KeyAlgorithm: 'EC_secp384r1', + }); + }); +}); + function hasTags(expectedTags: Array<{Key: string, Value: string}>) { return { Properties: {